[3.2] openssh: multiple issues (CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012)
#11 modules in ssh-agent
CVE-2016-10009: loading of untrusted PKCSSsh-agent could load PKCS#11 modules from paths outside of a trusted
whitelist. An attacker able to load a crafted PKCS#11 module across a
forwarded agent channel could potentially
use this flaw to execute arbitrary code on the system running the
ssh-agent. Note that the attacker must have control of the forwarded
agent-socket and the ability to write to the filesystem of the host
running ssh-agent.
This issue was fixed by only allowing the loading of module from a trusted (and configurable) whitelist.
Fixed In Version:
openssh 7.4
References:
https://www.openssh.com/txt/release-7.4
http://seclists.org/oss-sec/2016/q4/708
Upstream patch:
CVE-2016-10010: privilege escalation via Unix domain socket forwarding
When privilege separation was disabled in OpenSSH, forwarded Unix-domain
sockets would be created by sshd with root privileges instead of the
privileges of the authenticated user.
This could allow an authenticated attacker to potentially gain root
privileges on the host system.
Fixed In Version:
openssh 7.4
References:
https://www.openssh.com/txt/release-7.4
http://seclists.org/oss-sec/2016/q4/708
Upstream patch:
CVE-2016-10011: Leak of host private key material to privilege-separated child process via realloc()
A theoretical leak of host private key material to privilege-separated
child processes via realloc() when reading keys.
No such leak was observed in practice for normal-sized keys, nor does a
leak to the child processes directly expose key material to unprivileged
users.
Fixed In Version:
openssh 7.4
References:
https://www.openssh.com/txt/release-7.4
http://seclists.org/oss-sec/2016/q4/708
Upstream patch:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/authfile.c.diff?r1=1.121&r2=1.122
CVE-2016-10012: Bounds check can be evaded in the shared memory manager used by pre-authentication compression support
The shared memory manager used by pre-authentication compression support
had a bounds checks that could be elided by some optimising compilers.
Additionally, this memory manager was incorrectly accessible when
pre-authentication compression was disabled.
This could potentially allow attacks against the privileged monitor
process from the sandboxed privilege-separation process (a compromise of
the latter would be required first).
Fixed In Version:
openssh 7.4
References:
https://www.openssh.com/txt/release-7.4
http://seclists.org/oss-sec/2016/q4/708
Upstream patches:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.165&r2=1.166
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.h.diff?r1=1.19&r2=1.20
(from redmine: issue id 6586, created on 2016-12-26, closed on 2016-12-29)
- Relations:
- parent #6583 (closed)
- Changesets:
- Revision fa08f3fc on 2016-12-29T08:59:19Z:
main/openssh: security fixes #6586
CVE-2016-10010, CVE-2016-10011