#VU2015 Improper input validation in OpenSSH


Published: 2020-03-18

Vulnerability identifier: #VU2015

Vulnerability risk: Low

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-10009

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
OpenSSH
Server applications / Remote management servers, RDP, SSH

Vendor: OpenSSH

Description
The vulnerability allows a remote attacker to execute arbitrary code on vulnerable ssh client.

The vulnerability exists due to incorrect handling of data passed to PKCS#11 module within ssh-agent. A remote attacker with control over sshd service can execute arbitrary code on vulnerable client.

Successful exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on vulnerable client system but requires that client is connected to malicious SSH server.

Mitigation
Install the latest version of OpenSSH 7.4.

Vulnerable software versions

OpenSSH: 7.3p1

External links
http://www.openssh.com/txt/release-7.4
http://www.openwall.com/lists/oss-security/2016/12/19/2
http://github.com/openbsd/src/commit/9476ce1dd37d3c3218d5640b74c34c65e5f4efe5

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Juniper Networks Junos cRPD
Multiple vulnerabilities in Juniper Cloud Native Router
Multiple vulnerabilities in Juniper Networks Session Smart Router
Amazon Linux AMI update for openssh
openEuler update for openssh
Juniper Junos OS update for OpenSSH
Multiple vulnerabilities in Juniper Junos Space
Multiple vulnerabilities in IBM BladeCenter Advanced Management Module (AMM)
Ubuntu update for OpenSSH
Amazon Linux AMI update for openssh