OpenSSH < 7.4 Multiple Vulnerabilities

Medium Nessus Plugin ID 96151


The SSH server running on the remote host is affected by multiple vulnerabilities.


According to its banner, the version of OpenSSH running on the remote host is prior to 7.4. It is, therefore, affected by multiple vulnerabilities :

- A flaw exists in ssh-agent due to loading PKCS#11 modules from paths that are outside a trusted whitelist.
A local attacker can exploit this, by using a crafted request to load hostile modules via agent forwarding, to execute arbitrary code. To exploit this vulnerability, the attacker would need to control the forwarded agent-socket (on the host running the sshd server) and the ability to write to the file system of the host running ssh-agent. (CVE-2016-10009)

- A flaw exists in sshd due to creating forwarded Unix-domain sockets with 'root' privileges whenever privilege separation is disabled. A local attacker can exploit this to gain elevated privileges.

- An information disclosure vulnerability exists in sshd within the realloc() function due leakage of key material to privilege-separated child processes when reading keys. A local attacker can possibly exploit this to disclose sensitive key material. Note that no such leak has been observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users.

- A flaw exists in sshd within the shared memory manager used by pre-authenticating compression support due to a bounds check being elided by some optimizing compilers and due to the memory manager being incorrectly accessible when pre-authenticating compression is disabled. A local attacker can exploit this to gain elevated privileges. (CVE-2016-10012)

- A denial of service vulnerability exists in sshd when handling KEXINIT messages. An unauthenticated, remote attacker can exploit this, by sending multiple KEXINIT messages, to consume up to 128MB per connection.
(VulnDB 148976)

- A flaw exists in sshd due to improper validation of address ranges by the AllowUser and DenyUsers directives at configuration load time. A local attacker can exploit this, via an invalid CIDR address range, to gain access to restricted areas. (VulnDB 148977)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.


Upgrade to OpenSSH version 7.4 or later.

See Also

Plugin Details

Severity: Medium

ID: 96151

File Name: openssh_74.nasl

Version: $Revision: 1.2 $

Type: remote

Family: Misc.

Published: 2016/12/27

Modified: 2016/12/29

Dependencies: 10267

Risk Information

Risk Factor: Medium


Base Score: 6.9

Temporal Score: 5.7

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND


Base Score: 7

Temporal Score: 6.4

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:X

Vulnerability Information

CPE: cpe:/a:openbsd:openssh

Required KB Items: Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/12/19

Vulnerability Publication Date: 2016/12/19

Reference Information

CVE: CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012

BID: 94968, 94972, 94975, 94977

OSVDB: 148966, 148967, 148968, 148975, 148976, 148977

EDB-ID: 40962