Vulnerability CVE-2016-10009


Published: 2017-01-04   Modified: 2017-01-05

Description:
Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.

See advisories in our WLB2 database:
Topic
Author
Date
High
OpenSSH Arbitrary Library Loading
Jann Horn
24.12.2016

Type:

CWE-426

(Untrusted Search Path)

Vendor: Openbsd
Product: Openssh 
Version: 7.3;

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://packetstormsecurity.com/files/140261/OpenSSH-Arbitrary-Library-Loading.html
http://www.openwall.com/lists/oss-security/2016/12/19/2
http://www.securityfocus.com/bid/94968
http://www.securitytracker.com/id/1037490
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.647637
https://access.redhat.com/errata/RHSA-2017:2029
https://bugs.chromium.org/p/project-zero/issues/detail?id=1009
https://github.com/openbsd/src/commit/9476ce1dd37d3c3218d5640b74c34c65e5f4efe5
https://security.FreeBSD.org/advisories/FreeBSD-SA-17:01.openssh.asc
https://security.netapp.com/advisory/ntap-20171130-0002/
https://usn.ubuntu.com/3538-1/
https://www.exploit-db.com/exploits/40963/
https://www.openssh.com/txt/release-7.4

Related CVE
CVE-2016-10708
sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.
CVE-2017-15906
The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.
CVE-2015-7687
Use-after-free vulnerability in OpenSMTPD before 5.7.2 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via vectors involving req_ca_vrfy_smtp and req_ca_vrfy_mta.
CVE-2017-1000373
The OpenBSD qsort() function is recursive, and not randomized, an attacker can construct a pathological input array of N elements that causes qsort() to deterministically recurse N/4 times. This allows attackers to consume arbitrary amounts of stack ...
CVE-2017-1000372
A flaw exists in OpenBSD's implementation of the stack guard page that allows attackers to bypass it resulting in arbitrary code execution using setuid binaries such as /usr/bin/at. This affects OpenBSD 6.1 and possibly earlier versions.
CVE-2017-8301
LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of inval...
CVE-2016-1908
The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding...
CVE-2017-5850
httpd in OpenBSD allows remote attackers to cause a denial of service (memory consumption) via a series of requests for a large file using an HTTP Range header.

Copyright 2018, cxsecurity.com

 

Back to Top