Lucene search

K
myhack58佚名MYHACK58:62201682311
HistoryDec 21, 2016 - 12:00 a.m.

OpenSSH is now in the risk of vulnerabilities can cause remote code execution-vulnerability warning-the black bar safety net

2016-12-2100:00:00
佚名
www.myhack58.com
76

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.102 Low

EPSS

Percentile

94.4%

Vulnerability number
CVE-2016-10009
Vulnerability level
In the risk
Vulnerability
OpenSSH 7.3 and the following version
Vulnerability description
The vulnerability appears the ssh-agent, this process by default does not start, only in a multi-host Free the password the login will only be used to. the sshd server can use the forwarded agent-socket file to trick the machine to the ssh-agent in the trusted white list path other than the load a malicious PKCS#11 module, arbitrary code execution. In other words, a malicious server on the client machine on the remote code execution.
This vulnerability of the Use Conditions are relatively harsh, requiring the attacker to control the forwarding agent-socket, and need to have the host file system write permissions. So the official put the vulnerability level rated as medium risk. Based on OpenSSH huge amount of users, there may be a small part of the host will be affected by this.
! [](/Article/UploadPic/2016-12/20161221201553133. jpg? www. myhack58. com)
Bug fixes
In fact, only allows the loading of trusted white list module, you can solve the problem. OpenSSH official has to 12, on 19, released 7. 4 version of OpenSSH that fixes including CVE-2016-10009 including a plurality of Holes. Ubuntu, Debian, etc. the platform also has updated the program. Please timely to the latest version.
! [](/Article/UploadPic/2016-12/20161221201553424. png? www. myhack58. com)

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.102 Low

EPSS

Percentile

94.4%