SB2016122003 - Multiple vulnerabilities in OpenSSH
Published: December 20, 2016 Updated: December 21, 2016
Security Bulletin ID
SB2016122003
Severity
Low
Patch available
YES
Number of vulnerabilities
5
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass certain security restrictions.The vulnerability exists due to an error in sshd, which can be used to bypass address-based access controls if the AllowUser directive is configured with invalid CIDR address ranges.
Successful exploitation of this vulnerability may allow a remote attacker to bypass implemented access control mechanisms and perform a further attacks against vulnerable system.
2) Buffer overflow (CVE-ID: CVE-2016-10012)
The vulnerability allows a local user to execute arbitrary code on vulnerable system with root privileges.The vulnerability exists in sshd due to a flaw in boundary checks in the shared memory manager that may be skipped by some optimizing compilers. A local user can trigger memory corruption and execute arbitrary code with root privileges. The issue is related to m_zback and m_zlib data structures.
Successful exploitation of this vulnerability may allow a local user to elevate privileges.
3) Information disclosure (CVE-ID: CVE-2016-10011)
The vulnerability allows a local user to gain access to potentially sensitive information.The vulnerability exists due to an error in authfile.c, which may allow a local authenticated user to obtain host private key material.
Successful exploitation of this vulnerability may allow a local user to gain access to otherwise restricted information.
4) Privilege escalation (CVE-ID: CVE-2016-10010)
The vulnerability allows a local user to execute arbitrary code on vulnerable system with root privileges.The vulnerability exists due to an error in sshd in serverloop.c, which may allow a local authenticated user to execute arbitrary code with root privileges via a forwarded Unix-domain socket.
Successful exploitation of this vulnerability may allow a local user to elevate privileges.
5) Improper input validation (CVE-ID: CVE-2016-10009)
The vulnerability allows a remote attacker to execute arbitrary code on vulnerable ssh client.The vulnerability exists due to incorrect handling of data passed to PKCS#11 module within ssh-agent. A remote attacker with control over sshd service can execute arbitrary code on vulnerable client.
Successful exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on vulnerable client system but requires that client is connected to malicious SSH server.
Remediation
Install update from vendor's website.
References
- https://www.openssh.com/txt/release-7.4
- https://github.com/openbsd/src/commit/3095060f479b86288e31c79ecbc5131a66bcd2f9
- http://www.openwall.com/lists/oss-security/2016/12/19/2
- https://github.com/openbsd/src/commit/ac8147a06ed2e2403fb6b9a0c03e618a9333c0e9
- https://github.com/openbsd/src/commit/c76fac666ea038753294f2ac94d310f8adece9ce
- https://github.com/openbsd/src/commit/9476ce1dd37d3c3218d5640b74c34c65e5f4efe5