Updated OpenSSH packages are now available for Red Hat Linux 7, 7.1, and 7.2. These packages fix a vulnerability which exists when a server is configured with the "UseLogin" option.
When the "UseLogin" option is enabled in OpenSSH, a malicious user who authenticates using key-based authentication methods can influence the environment variables passed to the login process. This could allow the user to execute arbitrary code with superuser privileges. In Red Hat Linux the OpenSSH server has the "UseLogin" option disabled by default. Therefore, it is not vulnerable unless the system administrator has changed this setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-0872 to this issue.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center