7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.102 Low
EPSS
Percentile
94.8%
Problem Description:
The ssh-agent(1) agent supports loading a PKCS#11 module
from outside a trusted whitelist. An attacker can request
loading of a PKCS#11 module across forwarded agent-socket.
[CVE-2016-10009]
When privilege separation is disabled, forwarded Unix
domain sockets would be created by sshd(8) with the privileges
of ‘root’ instead of the authenticated user. [CVE-2016-10010]
Impact:
A remote attacker who have control of a forwarded
agent-socket on a remote system and have the ability to
write files on the system running ssh-agent(1) agent can
run arbitrary code under the same user credential. Because
the attacker must already have some control on both systems,
it is relatively hard to exploit this vulnerability in a
practical attack. [CVE-2016-10009]
When privilege separation is disabled (on FreeBSD,
privilege separation is enabled by default and has to be
explicitly disabled), an authenticated attacker can potentially
gain root privileges on systems running OpenSSH server.
[CVE-2016-10010]
7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.102 Low
EPSS
Percentile
94.8%