Multiple Vulnerabilities in Open SSH - CERT Advisory

Multiple Vulnerabilities in Open SSH

http://www.cert-in.org.in/

Severity Rating: HIGH

Software Affected

•       OpenSSH prior to 7.4

Overview

Multiple vulnerabilities have been reported in OpenSSH which could be

exploited by an attacker to execute arbitrary code, access sensitive

information, gain elevated privileges or bypass security restrictions.

Description

1. Remote code execution Vulnerability ( CVE-2016-10009   )

This vulnerability exists in sshd while loading PKCS#11 modules (shared

libraries) from paths outside a trusted white list. A remote

unauthenticated attacker with control of sshd service could exploit this

vulnerability by requesting the targeted ssh-agent to load specially

crafted PKCS#11 module across a forwarded agent channel.

Successful exploitation of the vulnerability could allow the attacker to

execute arbitrary code on or write files to the target system running the

ssh-agent.

2. Privilege Escalation Vulnerability ( CVE-2016-10010   )

This vulnerability exists in sshd when privilege separation is disabled. An

attacker could exploit this vulnerability via a forwarded Unix-domain

socket to gain root privileges.

3. Information Disclosure Vulnerability ( CVE-2016-10011   )

This vulnerability exists in sshd where a local attacker could exploit this

vulnerability via realloc() when reading keys to obtain host private key

material.

4. Security Feature Bypass Vulnerability ( CVE-2016-10012   )

This vulnerability exists in sshd due to improper boundary checks by

optimizing compilers in the shared memory manager when pre-authentication

compression is disabled. A remote attacker could exploit this vulnerability

to bypass security restrictions which could be leveraged to conduct further

attacks.

5. Security Bypass Vulnerability

This vulnerability exists in sshd due to improper validation of CIDR

address ranges for Allow User and Deny Users    directives at configuration

load time. A remote attacker could exploit this vulnerability to bypass

address-based access controls if the Allow User directive is configured

with invalid CIDR address ranges.

Solution

Update to OpenSSH 7.4

http://www.openssh.com/txt/release-7.4

Vendor Information

OpenSSH

http://www.openssh.com/txt/release-7.4

References

OpenSSH

http://www.openssh.com/txt/release-7.4

SecurityTracker

http://securitytracker.com/id/1037490

Security Focus

http://www.securityfocus.com/bid/94968

http://www.securityfocus.com/bid/94972

http://www.securityfocus.com/bid/94977

http://www.securityfocus.com/bid/94975

Openwall

http://www.openwall.com/lists/oss-security/2016/12/19/5

CVE Name

CVE-2016-10009

CVE-2016-10010

CVE-2016-10011

CVE-2016-10012

- --

Note: Please do not reply to this e-mail. For further queries contact

CERT-In Information Desk. Email: info@cert-in.org.in