Published: 05/01/2017 Updated: 20/07/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 7.3 | Impact Score: 3.4 | Exploitability Score: 3.9

VMScore: 756

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH prior to 7.4 allows remote malicious users to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.

Vulnerable Product	Search on Vulmon	Subscribe to Product
openbsd openssh

Several security issues were fixed in OpenSSH ...

Debian Bug report logs - #848716 openssh: CVE-2016-10011 Package: src:openssh; Maintainer for src:openssh is Debian OpenSSH Maintainers <debian-ssh@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 19 Dec 2016 19:33:04 UTC Severity: important Tags: security, upstream Found in versio ...

Debian Bug report logs - #848714 openssh: CVE-2016-10009 Package: src:openssh; Maintainer for src:openssh is Debian OpenSSH Maintainers <debian-ssh@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 19 Dec 2016 19:27:02 UTC Severity: important Tags: security, upstream Found in versio ...

Debian Bug report logs - #848717 openssh: CVE-2016-10012 Package: src:openssh; Maintainer for src:openssh is Debian OpenSSH Maintainers <debian-ssh@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 19 Dec 2016 19:36:01 UTC Severity: important Tags: security, upstream Found in versio ...

Debian Bug report logs - #848715 openssh: CVE-2016-10010 Package: src:openssh; Maintainer for src:openssh is Debian OpenSSH Maintainers <debian-ssh@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 19 Dec 2016 19:33:02 UTC Severity: important Tags: security, upstream Found in versio ...

A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses (CVE-2016-6210) It was found that OpenSSH did not limit password lengths for password authentication A remo ...

It was found that ssh-agent could load PKCS#11 modules from paths outside of a trusted whitelist An attacker able to load a crafted PKCS#11 module across a forwarded agent channel could potentially use this flaw to execute arbitrary code on the system running the ssh-agent Note that the attacker must have control of the forwarded agent-socket and ...

Critical Infrastructure Sectors: Critical Manufacturing

Source: bugschromiumorg/p/project-zero/issues/detail?id=1009 The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked For these commands, the ...

The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked For these commands, the client has to specify a provider name Th e agent passes this provider ...

The PKCS#11 feature in ssh-agent in OpenSSH versions prior to 93p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system ...

Support This is a community project and while you will see contributions from the Deep Security team, there is no official Trend Micro support for this project The official documentation for the Deep Security APIs is available from the Trend Micro Online Help Centre Tutorials, feature-specific help, and other information about Deep Security is available from the Deep Security

Scripts used to combine Qualys scans and Trend Micro Deep Security recommendation scan results into reports.

Support This is a community project and while you will see contributions from the Deep Security team, there is no official Trend Micro support for this project The official documentation for the Deep Security APIs is available from the Trend Micro Online Help Centre Tutorials, feature-specific help, and other information about Deep Security is available from the Deep Security

CWE-426 https://github.com/openbsd/src/commit/9476ce1dd37d3c3218d5640b74c34c65e5f4efe5 http://www.openwall.com/lists/oss-security/2016/12/19/2 https://www.openssh.com/txt/release-7.4 https://www.exploit-db.com/exploits/40963/https://bugs.chromium.org/p/project-zero/issues/detail?id=1009 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.647637 http://www.securitytracker.com/id/1037490 http://www.securityfocus.com/bid/94968 http://packetstormsecurity.com/files/140261/OpenSSH-Arbitrary-Library-Loading.html https://security.FreeBSD.org/advisories/FreeBSD-SA-17:01.openssh.asc https://security.netapp.com/advisory/ntap-20171130-0002/https://access.redhat.com/errata/RHSA-2017:2029 https://usn.ubuntu.com/3538-1/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03818en_us https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf http://www.openwall.com/lists/oss-security/2023/07/19/9 http://seclists.org/fulldisclosure/2023/Jul/31 http://www.openwall.com/lists/oss-security/2023/07/20/1 http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html https://nvd.nist.gov https://usn.ubuntu.com/3538-1/https://www.exploit-db.com/exploits/40963/https://www.cisa.gov/uscert/ics/advisories/icsa-22-349-21

CVE-2016-10009

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

ICS Advisories

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect