{"vuid":"VU#157447","idnumber":"157447","name":"OpenSSH UseLogin directive permits privilege escalation","keywords":["openssh","remote"],"overview":"OpenSSH is an implementation of the Secure Shell protocol. When OpenSSH is configured with the UseLogin directive equal to \"yes\", an intruder can execute arbitrary code with the privileges of OpenSSH, usually root.","clean_desc":"OpenSSH contains a vulnerability that permits an intruder to execute arbitrary code. When the UseLogin directive is enabled, a user can set environment variables that are used by login. An intruder can use this vulnerability to execute commands with the privileges of OpenSSH, usually root. UseLogin is not enabled by default; however, it is a common configuration. The intruder must be able to authenticate to the system using public key authentication. This vulnerability is not related to VU#40327 (https://www.kb.cert.org/vuls/id/40327).","impact":"An intruder can use this vulnerability to execute commands with the privileges of OpenSSH, usually root.","resolution":"OpenSSH 3.0.2 resolves this vulnerability and is available at ftp://ftp.openbsd.com/pub/OpenBSD/OpenSSH/openssh-3.0.2.tgz.","workarounds":"We strongly encourage you to review your configuration to determine whether or not UseLogin is enabled. If the use of UseLogin is required at your site, you may wish to temporarily disable access to the SSH service until a patch can be applied.","sysaffected":"","thanks":"The CERT/CC thanks Marcus Friedl of OpenBSD, and Jacques A. Vidrine of FreeBSD for information related to this vulnerability.","author":"This document was written by Jason Rafail.","public":["http://www.securityfocus.com/bid/3614","ftp://ftp.openbsd.com/pub/OpenBSD/OpenSSH/openssh-3.0.2.tgz","http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100747128105913&w=2"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2001-12-04T00:01:20Z","publicdate":"2001-12-04T00:00:00Z","datefirstpublished":"2001-12-04T17:02:20Z","dateupdated":"2002-01-02T16:28:41Z","revision":16,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"13","cam_population":"10","cam_impact":"20","cam_easeofexploitation":"15","cam_attackeraccessrequired":"10","cam_scorecurrent":"15.75","cam_scorecurrentwidelyknown":"18.5625","cam_scorecurrentwidelyknownexploited":"29.8125","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":15.75,"vulnote":null}