FreeBSD update for OpenSSH



Published: 2017-01-11 | Updated: 2017-01-12
Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2016-10009
CVE-2016-10010
CWE-ID CWE-20
CWE-264
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Vulnerable software
Subscribe 		FreeBSD
Operating systems & Components / Operating system

Vendor FreeBSD Foundation

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU2015

Risk: Low

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-10009

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on vulnerable ssh client.

The vulnerability exists due to incorrect handling of data passed to PKCS#11 module within ssh-agent. A remote attacker with control over sshd service can execute arbitrary code on vulnerable client.

Successful exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on vulnerable client system but requires that client is connected to malicious SSH server.

Mitigation

Download and install patch:

# fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch
# fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch.asc
# gpg --verify openssh.patch.asc

Vulnerable software versions

FreeBSD: 10.3 - 11.0

External links

http://lists.freebsd.org/pipermail/freebsd-security-notifications/2017-January/000305.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Privilege escalation

EUVDB-ID: #VU2053

Risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-10010

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a local user to execute arbitrary code on vulnerable system with root privileges.

The vulnerability exists due to an error in sshd in serverloop.c, which may allow a local authenticated user to execute arbitrary code with root privileges via a forwarded Unix-domain socket.

Successful exploitation of this vulnerability may allow a local user to elevate privileges.

Mitigation

Download and install patch:

# fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch
# fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch.asc
# gpg --verify openssh.patch.asc

Vulnerable software versions

FreeBSD: 10.3 - 11.0

External links

http://lists.freebsd.org/pipermail/freebsd-security-notifications/2017-January/000305.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###