http://packetstormsecurity.com/files/140262/OpenSSH-Local-Privilege-Escalation.html

[oss-security] 20161219 Announce: OpenSSH 7.4 released

94972

1037490

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.647637

https://bugs.chromium.org/p/project-zero/issues/detail?id=1010

https://github.com/openbsd/src/commit/c76fac666ea038753294f2ac94d310f8adece9ce

FreeBSD-SA-17:01

https://security.netapp.com/advisory/ntap-20171130-0002/

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03818en_us

40962

https://www.openssh.com/txt/release-7.4

According to its self-reported version number, the version of Junos Space running on the remote device is < 18.2R1, and is therefore affected by multiple vulnerabilities:

  - Due to untrusted search path vulnerability in ssh-agent.c in ssh-agent     in OpenSSH before 7.4, unauthenticated, remote attacker can execute execute     arbitrary local PKCS#11 modules by leveraging control over a forwarded     agent-socket. (CVE-2016-10009)    
  - In OpenSSH before 7.4, an authenticated local attacker can escalate     privileges via unspecified vectors, related to serverloop.c.     (CVE-2016-10010)     
  - authfile.c in sshd in OpenSSH before 7.4 does not properly consider the     effects of realloc on buffer contents. an authenticated local attacker     can obtain sensitive private-key information by leveraging access to a     privilege-separated child process. (CVE-2016-10011)     
  - In sshd in OpenSSH before 7.4, a local attacker can gain privileges by     leveraging access to a sandboxed privilege-separation process due to a     bounds check that's enforced by all by the shared memory manager.     (CVE-2016-10012)     
  - The process_open function in sftp-server.c in OpenSSH before 7.6 does not     properly prevent write operations in readonly mode, which allows local     attackers to create zero-length files. (CVE-2017-15906)     
  - A reflected cross-site scripting vulnerability in OpenNMS included     with Juniper Networks Junos Space may allow the stealing of sensitive     information or session credentials from Junos Space administrators or     perform administrative actions.  (CVE-2018-0046)

An update of the openssh package has been released.

An update of [openssh,linux,libxml2] packages for PhotonOS has been released.

According to its self-reported version number, the remote pfSense install is affected by multiple vulnerabilities as stated in the referenced vendor advisories.

Jann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules from untrusted directories. A remote attacker could possibly use this issue to execute arbitrary PKCS#11 modules. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10009)

Jann Horn discovered that OpenSSH incorrectly handled permissions on Unix-domain sockets when privilege separation is disabled. A local attacker could possibly use this issue to gain privileges. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-10010)

Jann Horn discovered that OpenSSH incorrectly handled certain buffer memory operations. A local attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10011)

Guido Vranken discovered that OpenSSH incorrectly handled certain shared memory manager operations. A local attacker could possibly use issue to gain privileges. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10012)

Michal Zalewski discovered that OpenSSH incorrectly prevented write operations in readonly mode. A remote attacker could possibly use this issue to create zero-length files, leading to a denial of service.
(CVE-2017-15906).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running a version of macOS that is 10.12.x prior to 10.12.4. It is, therefore, affected by multiple vulnerabilities in multiple components, some of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these remote code execution vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. The affected components are as follows :

  - apache
  - apache_mod_php
  - AppleGraphicsPowerManagement
  - AppleRAID
  - Audio
  - Bluetooth
  - Carbon
  - CoreGraphics
  - CoreMedia
  - CoreText
  - curl
  - EFI
  - FinderKit
  - FontParser
  - HTTPProtocol
  - Hypervisor
  - iBooks
  - ImageIO
  - Intel Graphics Driver
  - IOATAFamily
  - IOFireWireAVC
  - IOFireWireFamily
  - Kernel
  - Keyboards
  - libarchive
  - libc++abi
  - LibreSSL
  - MCX Client
  - Menus
  - Multi-Touch
  - OpenSSH
  - OpenSSL
  - Printing
  - python
  - QuickTime
  - Security
  - SecurityFoundation
  - sudo
  - System Integrity Protection
  - tcpdump
  - tiffutil
  - WebKit

This update for openssh fixes several issues.

These security issues were fixed :

  - CVE-2016-8858: The kex_input_kexinit function in kex.c     allowed remote attackers to cause a denial of service     (memory consumption) by sending many duplicate KEXINIT     requests (bsc#1005480).

  - CVE-2016-10012: The shared memory manager (associated     with pre-authentication compression) did not ensure that     a bounds check is enforced by all compilers, which might     allowed local users to gain privileges by leveraging     access to a sandboxed privilege-separation process,     related to the m_zback and m_zlib data structures     (bsc#1016370).

  - CVE-2016-10009: Untrusted search path vulnerability in     ssh-agent.c allowed remote attackers to execute     arbitrary local PKCS#11 modules by leveraging control     over a forwarded agent-socket (bsc#1016366).

  - CVE-2016-10010: When forwarding unix domain sockets with     privilege separation disabled, the resulting sockets     have be created as 'root' instead of the authenticated     user. Forwarding unix domain sockets without privilege     separation enabled is now rejected.

  - CVE-2016-10011: authfile.c in sshd did not properly     consider the effects of realloc on buffer contents,     which might allowed local users to obtain sensitive     private-key information by leveraging access to a     privilege-separated child process (bsc#1016369).

These non-security issues were fixed :

  - Adjusted suggested command for removing conflicting     server keys from the known_hosts file (bsc#1006221)

  - Properly verify CIDR masks in configuration (bsc#1005893     bsc#1021626)

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for openssh fixes several issues. These security issues were fixed :

  - CVE-2016-8858: The kex_input_kexinit function in kex.c     allowed remote attackers to cause a denial of service     (memory consumption) by sending many duplicate KEXINIT     requests (bsc#1005480).

  - CVE-2016-10012: The shared memory manager (associated     with pre-authentication compression) did not ensure that     a bounds check is enforced by all compilers, which might     allowed local users to gain privileges by leveraging     access to a sandboxed privilege-separation process,     related to the m_zback and m_zlib data structures     (bsc#1016370).

  - CVE-2016-10009: Untrusted search path vulnerability in     ssh-agent.c allowed remote attackers to execute     arbitrary local PKCS#11 modules by leveraging control     over a forwarded agent-socket (bsc#1016366).

  - CVE-2016-10010: When forwarding unix domain sockets with     privilege separation disabled, the resulting sockets     have be created as 'root' instead of the authenticated     user. Forwarding unix domain sockets without privilege     separation enabled is now rejected.

  - CVE-2016-10011: authfile.c in sshd did not properly     consider the effects of realloc on buffer contents,     which might allowed local users to obtain sensitive     private-key information by leveraging access to a     privilege-separated child process (bsc#1016369).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The ssh-agent(1) agent supports loading a PKCS#11 module from outside a trusted whitelist. An attacker can request loading of a PKCS#11 module across forwarded agent-socket. [CVE-2016-10009]

When privilege separation is disabled, forwarded Unix domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. [CVE-2016-10010] Impact : A remote attacker who have control of a forwarded agent-socket on a remote system and have the ability to write files on the system running ssh-agent(1) agent can run arbitrary code under the same user credential. Because the attacker must already have some control on both systems, it is relatively hard to exploit this vulnerability in a practical attack.
[CVE-2016-10009]

When privilege separation is disabled (on FreeBSD, privilege separation is enabled by default and has to be explicitly disabled), an authenticated attacker can potentially gain root privileges on systems running OpenSSH server. [CVE-2016-10010]

The installed version of OpenSSH is 7.x prior to 7.4 and is affected by the following vulnerabilities :

 - A flaw exists in 'sshd(8)' that is triggered during the creation of forwarded Unix-domain sockets. This may allow a local attacker to potentially gain elevated privileges.
 - A flaw exists in the 'realloc()' function in 'sshd(8)' that is triggered when reading keys. This may allow a local attacker to gain access to potentially sensitive key material that is leaked by the system.
 - A flaw exists in 'ssh-agent(1)' that is triggered when invoking the PKCS#11 module during agent forwarding. This may allow a local attacker to potentially execute arbitrary code with elevated privileges.
 - A flaw exists in 'sshd(8)' that is triggered as bounds are not properly checked in pre-authentication compression support, while the shared memory manager may be inappropriately accessed. This may potentially allow a local attacker to gain elevated privileges.
 - A flaw exists in 'sshd(8)' that is triggered during the handling of a saturation of 'KEXINIT' messages. This may allow a remote attacker to cause a denial of service.
 - A flaw exists in 'sshd(8)' that is triggered during as address ranges for 'AllowUser' and 'DenyUsers' directives are not properly validated at configuration load time. This may allow a local attacker to potentially gain unintended access to restricted areas.
 - A flaw exists that allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.

According to its banner, the version of OpenSSH running on the remote host is prior to 7.4. It is, therefore, affected by multiple vulnerabilities :

  - A flaw exists in ssh-agent due to loading PKCS#11     modules from paths that are outside a trusted whitelist.
    A local attacker can exploit this, by using a crafted     request to load hostile modules via agent forwarding, to     execute arbitrary code. To exploit this vulnerability,     the attacker would need to control the forwarded     agent-socket (on the host running the sshd server) and     the ability to write to the file system of the host     running ssh-agent. (CVE-2016-10009)

  - A flaw exists in sshd due to creating forwarded     Unix-domain sockets with 'root' privileges whenever     privilege separation is disabled. A local attacker can     exploit this to gain elevated privileges.
    (CVE-2016-10010)

  - An information disclosure vulnerability exists in sshd     within the realloc() function due leakage of key     material to privilege-separated child processes when     reading keys. A local attacker can possibly exploit this     to disclose sensitive key material. Note that no such     leak has been observed in practice for normal-sized     keys, nor does a leak to the child processes directly     expose key material to unprivileged users.
    (CVE-2016-10011)

  - A flaw exists in sshd within the shared memory manager     used by pre-authenticating compression support due to a     bounds check being elided by some optimizing compilers     and due to the memory manager being incorrectly     accessible when pre-authenticating compression is     disabled. A local attacker can exploit this to gain     elevated privileges. (CVE-2016-10012)

  - A denial of service vulnerability exists in sshd when     handling KEXINIT messages. An unauthenticated, remote     attacker can exploit this, by sending multiple KEXINIT     messages, to consume up to 128MB per connection.

  - A flaw exists in sshd due to improper validation of     address ranges by the AllowUser and DenyUsers     directives at configuration load time. A local attacker     can exploit this, via an invalid CIDR address range, to     gain access to restricted areas.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The OpenSSH project reports :

- ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside a trusted whitelist (run-time configurable). Requests to load modules could be passed via agent forwarding and an attacker could attempt to load a hostile PKCS#11 module across the forwarded agent channel: PKCS#11 modules are shared libraries, so this would result in code execution on the system running the ssh-agent if the attacker has control of the forwarded agent-socket (on the host running the sshd server) and the ability to write to the filesystem of the host running ssh-agent (usually the host running the ssh client). (CVE-2016-10009)

- sshd(8): When privilege separation is disabled, forwarded Unix-domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. This release refuses Unix-domain socket forwarding when privilege separation is disabled (Privilege separation has been enabled by default for 14 years).
CVE-2016-10010)

New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.

ID	Name	Product	Family	Severity
126510	Juniper Junos Space < 18.2R1 Multiple Vulnerabilities (JSA10880)	Nessus	Junos Local Security Checks	high
121665	Photon OS 1.0: Openssh PHSA-2017-0001	Nessus	PhotonOS Local Security Checks	high
111850	Photon OS 1.0: Libxml2 / Linux / Openssh PHSA-2017-0001 (deprecated)	Nessus	PhotonOS Local Security Checks	high
106503	pfSense < 2.3.3 Multiple Vulnerabilities (SA-17_01 - SA-17_03)	Nessus	Firewalls	high
106266	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : openssh vulnerabilities (USN-3538-1)	Nessus	Ubuntu Local Security Checks	high
99134	macOS 10.12.x < 10.12.4 Multiple Vulnerabilities (httpoxy)	Nessus	MacOS X Local Security Checks	high
96919	openSUSE Security Update : openssh (openSUSE-2017-184)	Nessus	SuSE Local Security Checks	high
96718	SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2017:0264-1)	Nessus	SuSE Local Security Checks	high
96411	FreeBSD : FreeBSD -- OpenSSH multiple vulnerabilities (2c948527-d823-11e6-9171-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	high
9855	OpenSSH 7.x < 7.4 Multiple Vulnerabilities	Nessus Network Monitor	SSH	medium
96151	OpenSSH < 7.4 Multiple Vulnerabilities	Nessus	Misc.	high
96116	FreeBSD : openssh -- multiple vulnerabilities (2aedd15f-ca8b-11e6-a9a5-b499baebfeaf)	Nessus	FreeBSD Local Security Checks	high
96091	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : openssh (SSA:2016-358-02)	Nessus	Slackware Local Security Checks	high

CVE-2016-10010

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins