|CERT-In Vulnerability Note
Multiple Vulnerabilities in Open SSH
Original Issue Date:December 29, 2016
Severity Rating: HIGH
Multiple vulnerabilities have been reported in OpenSSH which could be exploited by an attacker to execute arbitrary code, access sensitive information, gain elevated privileges or bypass security restrictions.
1. Remote code execution Vulnerability
This vulnerability exists in sshd while loading PKCS#11 modules (shared libraries) from paths outside a trusted white list. A remote unauthenticated attacker with control of sshd service could exploit this vulnerability by requesting the targeted ssh-agent to load specially crafted PKCS#11 module across a forwarded agent channel.
Successful exploitation of the vulnerability could allow the attacker to execute arbitrary code on or write files to the target system running the ssh-agent.
2. Privilege Escalation Vulnerability
This vulnerability exists in sshd when privilege separation is disabled. An attacker could exploit this vulnerability via a forwarded Unix-domain socket to gain root privileges.
3. Information Disclosure Vulnerability
This vulnerability exists in sshd where a local attacker could exploit this vulnerability via realloc() when reading keys to obtain host private key material.
4. Security Feature Bypass Vulnerability
This vulnerability exists in sshd due to improper boundary checks by optimizing compilers in the shared memory manager when pre-authentication compression is disabled. A remote attacker could exploit this vulnerability to bypass security restrictions which could be leveraged to conduct further attacks.
5. Security Bypass Vulnerability
This vulnerability exists in sshd due to improper validation of CIDR address ranges for Allow User and Deny Users directives at configuration load time. A remote attacker could exploit this vulnerability to bypass address-based access controls if the Allow User directive is configured with invalid CIDR address ranges.
Update to OpenSSH 7.4
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003