CVE-2016-10009 - OpenCVE

Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Openbsd	Openssh

Configuration 1 [-]

cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*

References

Link	Resource
http://packetstormsecurity.com/files/140261/OpenSSH-Arbitrary-Library-Loading.html
http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html
http://seclists.org/fulldisclosure/2023/Jul/31
http://www.openwall.com/lists/oss-security/2016/12/19/2	Mailing List Release Notes
http://www.openwall.com/lists/oss-security/2023/07/19/9
http://www.openwall.com/lists/oss-security/2023/07/20/1
http://www.securityfocus.com/bid/94968
http://www.securitytracker.com/id/1037490
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.647637
https://access.redhat.com/errata/RHSA-2017:2029
https://bugs.chromium.org/p/project-zero/issues/detail?id=1009
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
https://github.com/openbsd/src/commit/9476ce1dd37d3c3218d5640b74c34c65e5f4efe5	Patch
https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html
https://security.FreeBSD.org/advisories/FreeBSD-SA-17:01.openssh.asc
https://security.netapp.com/advisory/ntap-20171130-0002/
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03818en_us
https://usn.ubuntu.com/3538-1/
https://www.exploit-db.com/exploits/40963/
https://www.openssh.com/txt/release-7.4

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-01-05T00:00:00

Updated: 2023-07-20T00:00:00

Reserved: 2016-12-19T00:00:00

Link: CVE-2016-10009

JSON object: View

NVD Information

Status : Modified

Published: 2017-01-05T02:59:03.057

Modified: 2023-07-20T18:15:11.230

Link: CVE-2016-10009

JSON object: View

Redhat Information

No data.

CWE

CWE-426

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2016-10009", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2023-07-20T00:00:00", "dateReserved": "2016-12-19T00:00:00", "datePublished": "2017-01-05T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-07-20T00:00:00"}, "descriptions": [{"lang": "en", "value": "Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/openbsd/src/commit/9476ce1dd37d3c3218d5640b74c34c65e5f4efe5"}, {"name": "40963", "tags": ["exploit"], "url": "https://www.exploit-db.com/exploits/40963/"}, {"url": "https://security.netapp.com/advisory/ntap-20171130-0002/"}, {"name": "94968", "tags": ["vdb-entry"], "url": "http://www.securityfocus.com/bid/94968"}, {"name": "[oss-security] 20161219 Announce: OpenSSH 7.4 released", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2016/12/19/2"}, {"name": "1037490", "tags": ["vdb-entry"], "url": "http://www.securitytracker.com/id/1037490"}, {"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03818en_us"}, {"name": "FreeBSD-SA-17:01", "tags": ["vendor-advisory"], "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:01.openssh.asc"}, {"name": "USN-3538-1", "tags": ["vendor-advisory"], "url": "https://usn.ubuntu.com/3538-1/"}, {"url": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.647637"}, {"name": "RHSA-2017:2029", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:2029"}, {"url": "http://packetstormsecurity.com/files/140261/OpenSSH-Arbitrary-Library-Loading.html"}, {"name": "[debian-lts-announce] 20180910 [SECURITY] [DLA 1500-1] openssh security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html"}, {"url": "https://www.openssh.com/txt/release-7.4"}, {"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1009"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"}, {"name": "[oss-security] 20230719 CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/07/19/9"}, {"name": "20230719 CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2023/Jul/31"}, {"name": "[oss-security] 20230719 Re: CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/07/20/1"}, {"url": "http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}], "datePublic": "2016-12-19T00:00:00"}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5D52975-3CB0-4BF7-975F-66EF9BF42A06", "versionEndIncluding": "7.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket."}, {"lang": "es", "value": "Vulnerabilidad de ruta de b\u00fasqueda no confiable en ssh-agent.c en ssh-agent en OpenSSH en versiones anteriores a 7.4 permite a atacantes remotos ejecutar modulos locales PKCS#11 arbitrarios aprovechando el control sobre un agent-socket reenviado."}], "id": "CVE-2016-10009", "lastModified": "2023-07-20T18:15:11.230", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-01-05T02:59:03.057", "references": [{"source": "cve@mitre.org", "url": "http://packetstormsecurity.com/files/140261/OpenSSH-Arbitrary-Library-Loading.html"}, {"source": "cve@mitre.org", "url": "http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html"}, {"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2023/Jul/31"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Release Notes"], "url": "http://www.openwall.com/lists/oss-security/2016/12/19/2"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2023/07/19/9"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2023/07/20/1"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/94968"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1037490"}, {"source": "cve@mitre.org", "url": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.647637"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2017:2029"}, {"source": "cve@mitre.org", "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1009"}, {"source": "cve@mitre.org", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/openbsd/src/commit/9476ce1dd37d3c3218d5640b74c34c65e5f4efe5"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html"}, {"source": "cve@mitre.org", "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:01.openssh.asc"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20171130-0002/"}, {"source": "cve@mitre.org", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03818en_us"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/3538-1/"}, {"source": "cve@mitre.org", "url": "https://www.exploit-db.com/exploits/40963/"}, {"source": "cve@mitre.org", "url": "https://www.openssh.com/txt/release-7.4"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "nvd@nist.gov", "type": "Primary"}]}