CVE-2016-0778

MEDIUM

Description

The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings.

References

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10734

http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html

http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176516.html

http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176349.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00007.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00008.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00009.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00013.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00014.html

http://packetstormsecurity.com/files/135273/Qualys-Security-Advisory-OpenSSH-Overflow-Leak.html

http://seclists.org/fulldisclosure/2016/Jan/44

http://www.debian.org/security/2016/dsa-3446

http://www.openssh.com/txt/release-7.1p2

http://www.openwall.com/lists/oss-security/2016/01/14/7

http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

http://www.securityfocus.com/archive/1/537295/100/0/threaded

http://www.securityfocus.com/bid/80698

http://www.securitytracker.com/id/1034671

http://www.ubuntu.com/usn/USN-2869-1

https://blogs.sophos.com/2016/02/17/utm-up2date-9-354-released/

https://blogs.sophos.com/2016/02/29/utm-up2date-9-319-released/

https://bto.bluecoat.com/security-advisory/sa109

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05247375

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05356388

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05385680

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722

https://security.gentoo.org/glsa/201601-01

https://support.apple.com/HT206167

Details

Source: MITRE

Published: 2016-01-14

Updated: 2019-02-20

Type: CWE-119

Risk Information

CVSS v2.0

Base Score: 4.6

Vector: AV:N/AC:H/Au:S/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 3.9

Severity: MEDIUM

CVSS v3.0

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.2

Severity: HIGH