ID CVE-2016-10012
Summary The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.
References
Vulnerable Configurations
  • OpenBSD OpenSSH 7.3
    cpe:2.3:a:openbsd:openssh:7.3
CVSS
Base: 7.2 (as of 05-01-2017 - 10:55)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOS_10_12_4.NASL
    description The remote host is running a version of macOS that is 10.12.x prior to 10.12.4. It is, therefore, affected by multiple vulnerabilities in multiple components, some of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these remote code execution vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. The affected components are as follows : - apache - apache_mod_php - AppleGraphicsPowerManagement - AppleRAID - Audio - Bluetooth - Carbon - CoreGraphics - CoreMedia - CoreText - curl - EFI - FinderKit - FontParser - HTTPProtocol - Hypervisor - iBooks - ImageIO - Intel Graphics Driver - IOATAFamily - IOFireWireAVC - IOFireWireFamily - Kernel - Keyboards - libarchive - libc++abi - LibreSSL - MCX Client - Menus - Multi-Touch - OpenSSH - OpenSSL - Printing - python - QuickTime - Security - SecurityFoundation - sudo - System Integrity Protection - tcpdump - tiffutil - WebKit
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 99134
    published 2017-03-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99134
    title macOS 10.12.x < 10.12.4 Multiple Vulnerabilities (httpoxy)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-2029.NASL
    description An update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754) Security Fix(es) : * A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) * It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) * It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) * It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) * It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 102751
    published 2017-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102751
    title CentOS 7 : openssh (CESA-2017:2029)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2685-1.NASL
    description This update for openssh provides the following fixes : Security issues fixed : CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). CVE-2016-10012: Remove pre-auth compression support from the server to prevent possible cryptographic attacks (bsc#1016370). CVE-2008-1483: Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Bug fixes: bsc#1017099: Enable case-insensitive hostname matching. bsc#1023275: Add a new switch for printing diagnostic messages in sftp client's batch mode. bsc#1048367: systemd integration to work around various race conditions. bsc#1053972: Remove duplicate KEX method. bsc#1092582: Add missing piece of systemd integration. Remove the limit on the amount of tasks sshd can run. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 117452
    published 2018-09-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117452
    title SUSE SLES12 Security Update : openssh (SUSE-SU-2018:2685-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2029.NASL
    description From Red Hat Security Advisory 2017:2029 : An update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754) Security Fix(es) : * A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) * It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) * It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) * It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) * It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 102296
    published 2017-08-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102296
    title Oracle Linux 7 : openssh (ELSA-2017-2029)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2029.NASL
    description An update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754) Security Fix(es) : * A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) * It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) * It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) * It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) * It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 102112
    published 2017-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102112
    title RHEL 7 : openssh (RHSA-2017:2029)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-898.NASL
    description A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 103650
    published 2017-10-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103650
    title Amazon Linux AMI : openssh (ALAS-2017-898)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-184.NASL
    description This update for openssh fixes several issues. These security issues were fixed : - CVE-2016-8858: The kex_input_kexinit function in kex.c allowed remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests (bsc#1005480). - CVE-2016-10012: The shared memory manager (associated with pre-authentication compression) did not ensure that a bounds check is enforced by all compilers, which might allowed local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures (bsc#1016370). - CVE-2016-10009: Untrusted search path vulnerability in ssh-agent.c allowed remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket (bsc#1016366). - CVE-2016-10010: When forwarding unix domain sockets with privilege separation disabled, the resulting sockets have be created as 'root' instead of the authenticated user. Forwarding unix domain sockets without privilege separation enabled is now rejected. - CVE-2016-10011: authfile.c in sshd did not properly consider the effects of realloc on buffer contents, which might allowed local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process (bsc#1016369). These non-security issues were fixed : - Adjusted suggested command for removing conflicting server keys from the known_hosts file (bsc#1006221) - Properly verify CIDR masks in configuration (bsc#1005893 bsc#1021626) This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen 2019-02-21
    modified 2017-02-01
    plugin id 96919
    published 2017-02-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96919
    title openSUSE Security Update : openssh (openSUSE-2017-184)
  • NASL family Misc.
    NASL id OPENSSH_74.NASL
    description According to its banner, the version of OpenSSH running on the remote host is prior to 7.4. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in ssh-agent due to loading PKCS#11 modules from paths that are outside a trusted whitelist. A local attacker can exploit this, by using a crafted request to load hostile modules via agent forwarding, to execute arbitrary code. To exploit this vulnerability, the attacker would need to control the forwarded agent-socket (on the host running the sshd server) and the ability to write to the file system of the host running ssh-agent. (CVE-2016-10009) - A flaw exists in sshd due to creating forwarded Unix-domain sockets with 'root' privileges whenever privilege separation is disabled. A local attacker can exploit this to gain elevated privileges. (CVE-2016-10010) - An information disclosure vulnerability exists in sshd within the realloc() function due leakage of key material to privilege-separated child processes when reading keys. A local attacker can possibly exploit this to disclose sensitive key material. Note that no such leak has been observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users. (CVE-2016-10011) - A flaw exists in sshd within the shared memory manager used by pre-authenticating compression support due to a bounds check being elided by some optimizing compilers and due to the memory manager being incorrectly accessible when pre-authenticating compression is disabled. A local attacker can exploit this to gain elevated privileges. (CVE-2016-10012) - A denial of service vulnerability exists in sshd when handling KEXINIT messages. An unauthenticated, remote attacker can exploit this, by sending multiple KEXINIT messages, to consume up to 128MB per connection. - A flaw exists in sshd due to improper validation of address ranges by the AllowUser and DenyUsers directives at configuration load time. A local attacker can exploit this, via an invalid CIDR address range, to gain access to restricted areas. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 96151
    published 2016-12-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96151
    title OpenSSH < 7.4 Multiple Vulnerabilities
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170801_OPENSSH_ON_SL7_X.NASL
    description The following packages have been upgraded to a later upstream version: openssh (7.4p1). Security Fix(es) : - A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) - It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) - It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) - It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) - It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 102650
    published 2017-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102650
    title Scientific Linux Security Update : openssh on SL7.x x86_64
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0001_OPENSSH.NASL
    description An update of the openssh package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121665
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121665
    title Photon OS 1.0: Openssh PHSA-2017-0001
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1138.NASL
    description According to the version of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.(CVE-2016-10012) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 102225
    published 2017-08-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102225
    title EulerOS 2.0 SP1 : openssh (EulerOS-SA-2017-1138)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1139.NASL
    description According to the version of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.(CVE-2016-10012) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 102226
    published 2017-08-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102226
    title EulerOS 2.0 SP2 : openssh (EulerOS-SA-2017-1139)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-358-02.NASL
    description New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2019-02-21
    modified 2017-09-21
    plugin id 96091
    published 2016-12-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96091
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : openssh (SSA:2016-358-02)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2275-1.NASL
    description This update for openssh fixes the following issues: Security issues fixed : - CVE-2016-10012: Fix pre-auth compression checks that could be optimized away (bsc#1016370). - CVE-2016-10708: Fix remote denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYSmessage (bsc#1076957). - CVE-2017-15906: Fix r/o sftp-server zero byte file creation (bsc#1065000). - CVE-2008-1483: Fix accidental re-introduction of CVE-2008-1483 (bsc#1069509). Bug fixes : - bsc#1017099: Match conditions with uppercase hostnames fail (bsc#1017099) - bsc#1053972: supportedKeyExchanges diffie-hellman-group1-sha1 is duplicated (bsc#1053972) - bsc#1023275: Messages suppressed after upgrade from SLES 11 SP3 to SP4 (bsc#1023275) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 111639
    published 2018-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111639
    title SUSE SLES11 Security Update : openssh (SUSE-SU-2018:2275-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0264-1.NASL
    description This update for openssh fixes several issues. These security issues were fixed : - CVE-2016-8858: The kex_input_kexinit function in kex.c allowed remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests (bsc#1005480). - CVE-2016-10012: The shared memory manager (associated with pre-authentication compression) did not ensure that a bounds check is enforced by all compilers, which might allowed local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures (bsc#1016370). - CVE-2016-10009: Untrusted search path vulnerability in ssh-agent.c allowed remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket (bsc#1016366). - CVE-2016-10010: When forwarding unix domain sockets with privilege separation disabled, the resulting sockets have be created as 'root' instead of the authenticated user. Forwarding unix domain sockets without privilege separation enabled is now rejected. - CVE-2016-10011: authfile.c in sshd did not properly consider the effects of realloc on buffer contents, which might allowed local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process (bsc#1016369). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 96718
    published 2017-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96718
    title SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2017:0264-1)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0001.NASL
    description An update of [openssh,linux,libxml2] packages for PhotonOS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 111850
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111850
    title Photon OS 1.0: Libxml2 / Linux / Openssh PHSA-2017-0001 (deprecated)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3538-1.NASL
    description Jann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules from untrusted directories. A remote attacker could possibly use this issue to execute arbitrary PKCS#11 modules. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10009) Jann Horn discovered that OpenSSH incorrectly handled permissions on Unix-domain sockets when privilege separation is disabled. A local attacker could possibly use this issue to gain privileges. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-10010) Jann Horn discovered that OpenSSH incorrectly handled certain buffer memory operations. A local attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10011) Guido Vranken discovered that OpenSSH incorrectly handled certain shared memory manager operations. A local attacker could possibly use issue to gain privileges. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10012) Michal Zalewski discovered that OpenSSH incorrectly prevented write operations in readonly mode. A remote attacker could possibly use this issue to create zero-length files, leading to a denial of service. (CVE-2017-15906). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 106266
    published 2018-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106266
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : openssh vulnerabilities (USN-3538-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-3540-1.NASL
    description This update for openssh fixes the following issues : Security issues fixed : CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. OpenSSH developers do not want to treat such a username enumeration (or 'oracle') as a vulnerability. (bsc#1106163) CVE-2017-15906: The process_open function in sftp-server.c in OpenSSH did not properly prevent write operations in readonly mode, which allowed attackers to create zero-length files. (bsc#1065000, bsc#1106726) CVE-2016-10708: sshd allowed remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c. (bsc#1076957) CVE-2018-15473: OpenSSH was prone to a user existance oracle vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. (bsc#1105010) CVE-2016-10012: Removed pre-auth compression support from the server to prevent possible cryptographic attacks. (bsc#1016370) Bugs fixed: Fixed failing 'AuthorizedKeysCommand' within a 'Match User' block in sshd_config (bsc#1105180) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 118498
    published 2018-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118498
    title SUSE SLES11 Security Update : openssh (SUSE-SU-2018:3540-1)
redhat via4
advisories
rhsa
id RHSA-2017:2029
rpms
  • openssh-0:7.4p1-11.el7
  • openssh-askpass-0:7.4p1-11.el7
  • openssh-cavs-0:7.4p1-11.el7
  • openssh-clients-0:7.4p1-11.el7
  • openssh-keycat-0:7.4p1-11.el7
  • openssh-ldap-0:7.4p1-11.el7
  • openssh-server-0:7.4p1-11.el7
  • openssh-server-sysvinit-0:7.4p1-11.el7
  • pam_ssh_agent_auth-0:0.10.3-1.11.el7
refmap via4
bid 94975
confirm
mlist
  • [debian-lts-announce] 20180910 [SECURITY] [DLA 1500-1] openssh security update
  • [oss-security] 20161219 Announce: OpenSSH 7.4 released
sectrack 1037490
Last major update 06-01-2017 - 22:00
Published 04-01-2017 - 21:59
Last modified 11-09-2018 - 06:29
Back to Top