Project

General

Profile

Bug #6583

openssh: multiple issues (CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012)

Added by Alicha CH over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
-
Start date:
12/26/2016
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Affected versions:
Security IDs:

Description

CVE-2016-10009: loading of untrusted PKCS#11 modules in ssh-agent

Ssh-agent could load PKCS#11 modules from paths outside of a trusted whitelist. An attacker able to load a crafted PKCS#11 module across a forwarded agent channel could potentially
use this flaw to execute arbitrary code on the system running the ssh-agent. Note that the attacker must have control of the forwarded agent-socket and the ability to write to the filesystem of the host running ssh-agent.

This issue was fixed by only allowing the loading of module from a trusted (and configurable) whitelist.

Fixed In Version:

openssh 7.4

References:

https://www.openssh.com/txt/release-7.4
http://seclists.org/oss-sec/2016/q4/708

Upstream patch:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-agent.c.diff?r1=1.214&r2=1.215&sortby=date&f=h

CVE-2016-10010: privilege escalation via Unix domain socket forwarding

When privilege separation was disabled in OpenSSH, forwarded Unix-domain sockets would be created by sshd with root privileges instead of the privileges of the authenticated user.
This could allow an authenticated attacker to potentially gain root privileges on the host system.

Fixed In Version:

openssh 7.4

References:

https://www.openssh.com/txt/release-7.4
http://seclists.org/oss-sec/2016/q4/708

Upstream patch:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/serverloop.c.diff?r1=1.188&r2=1.189&sortby=date&f=h

CVE-2016-10011: Leak of host private key material to privilege-separated child process via realloc()

A theoretical leak of host private key material to privilege-separated child processes via realloc() when reading keys.
No such leak was observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users.

Fixed In Version:

openssh 7.4

References:

https://www.openssh.com/txt/release-7.4
http://seclists.org/oss-sec/2016/q4/708

Upstream patch:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/authfile.c.diff?r1=1.121&r2=1.122

CVE-2016-10012: Bounds check can be evaded in the shared memory manager used by pre-authentication compression support

The shared memory manager used by pre-authentication compression support had a bounds checks that could be elided by some optimising compilers.
Additionally, this memory manager was incorrectly accessible when pre-authentication compression was disabled.
This could potentially allow attacks against the privileged monitor process from the sandboxed privilege-separation process (a compromise of the latter would be required first).

Fixed In Version:

openssh 7.4

References:

https://www.openssh.com/txt/release-7.4
http://seclists.org/oss-sec/2016/q4/708

Upstream patches:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.165&r2=1.166
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.h.diff?r1=1.19&r2=1.20


Subtasks

Bug #6584: [3.4] openssh: multiple issues (CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012)ClosedNatanael Copa

Bug #6585: [3.3] openssh: multiple issues (CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012)ClosedNatanael Copa

Bug #6586: [3.2] openssh: multiple issues (CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012)ClosedNatanael Copa

History

#1 Updated by Leonardo Arena over 2 years ago

  • Status changed from New to Resolved

#2 Updated by Alicha CH over 2 years ago

  • Project changed from Alpine Security to Alpine Linux
  • Category set to Security
  • Status changed from Resolved to Closed

Also available in: Atom PDF