edit-icon download-icon

[Vulnerability notice] CVE-2016-10009: Remote code execution vulnerability in OpenSSH

Last Updated: Oct 10, 2018

On December 19, 2016, the vulnerability platform SecurityFocus released the latest OpenSSH remote code execution vulnerability, CVE-2016-10009. This vulnerability affects OpenSSL 5.0 to 7.3.

The officially released latest OpenSSH version fixes CVE-2016-10009, CVE-2016-10010, CVE-2016-100011, CVE-2016-100012, and several other vulnerabilities without CVE numbers.

See the following for more information about the vulnerability.


CVE identifier

CVE-2016-10009

Vulnerability name

OpenSSH remote code execution vulnerability

Vulnerability rating

Medium

Vulnerability description

By using a forwarded agent-socket file, the sshd service can entice the local ssh-agent to load a hostile PKCS#11 module to run code remotely.

Hackers can exploit this vulnerability to run commands remotely and even cause data leakage.

Condition and method of exploitation

This vulnerability can be exploited remotely.

This vulnerability exploits and depends on ssh-agent. This process is not started by default. It is used only in the scenario where multiple hosts log on to one another without passwords. The condition of exploits is harsh.

Affected scope

  • OpenSSH 7.3
  • OpenSSH 7.2p2
  • OpenSSH 7.2
  • OpenSSH 7.1p2
  • OpenSSH 7.1p1
  • OpenSSH 7.1
  • OpenSSH 7.0
  • OpenSSH 6.9p1
  • OpenSSH 6.9
  • OpenSSH 6.6
  • OpenSSH 6.5
  • OpenSSH 6.4
  • OpenSSH 6.3
  • OpenSSH 6.2
  • OpenSSH 6.1
  • OpenSSH 6.0
  • OpenSSH 5.8
  • OpenSSH 5.7
  • OpenSSH 5.6
  • OpenSSH 5.5
  • OpenSSH 5.4
  • OpenSSH 5.3
  • OpenSSH 5.2
  • OpenSSH 5.1
  • OpenSSH 5.0

Vulnerability detection

Run the following command to check the software version:

  1. ssh -V

How to fix or mitigate

The default OpenSSH in the ECS operating system provided by Alibaba Cloud is not affected by this vulnerability. If you have changed the OpenSSH version and if you are sure that the current OpenSSH version is one of the affected versions, we recommend that you upgrade the SSH server to OpenSSH 7.4 or a later version. The upgrade method is described in the following.

Do not enable high-risk port services, such as the SSH service, directly to the Internet. We recommend that you use a VPN, bastion host, or other more secure modes for remote O&M, which can prevent brute-force cracking and vulnerability-exploiting intrusion.

Upgrade OpenSSH

We recommend that you use yum update to upgrade OpenSSH. If the latest installation package is unavailable at the update source, you can upgrade OpenSSH by using the following method. 64-bit CentOS 6.8 is used as an example to describe the upgrade.

Note: We strongly recommend that you back up snapshots and files before the upgrade to prevent unexpected events, such as a remote management failure caused by failed upgrade.

Before you perform the following installation operations, open another SSH window to connect to the server to be upgraded; otherwise, the server may not be connected if the upgrade fails. Alternatively, install the Telnet service as a backup scheme before the upgrade, and stop the Telnet service after the upgrade is successful.

  1. Run the following code to upgrade zlib:

    1. wget wget http://zlib.net/zlib-1.2.11.tar.gz
    2. tar zxvf zlib-1.2.11.tar.gz
    3. cd zlib-1.2.11
    4. ./configure
    5. make
    6. make install

    Run the following command to view the libz version after the upgrade:

    1. ll /usr/local/lib

    The result is as follows:

    zlib

  2. Upgrade openssl-flips. Before the installation, check whether it is of the latest version. If yes, go to Step 4. If no, run the following code to download the latest version and perform an upgrade:

    1. wget https://www.openssl.org/source/openssl-fips-2.0.14.tar.gz
    2. tar zxvf openssl-fips-2.0.14.tar.gz
    3. cd openssl-fips-2.0.14
    4. ./config
    5. make
    6. make install
  3. Run the following code to upgrade OpenSSL:

    1. wget https://www.openssl.org/source/openssl-1.0.2i.tar.gz
    2. tar zxvf openssl-1.0.2i.tar.gz
    3. cd openssl-1.0.2i
    4. ./config
    5. make
    6. make install
    7. ln -s /usr/local/lib64/libssl.so.1.0 /usr/lib64/libssl.so.1.0
    8. ln -s /usr/local/lib64/libcrypto.so.1.0 /usr/lib64/libcrypto.so.1.0
    9. ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

    View the OpenSSL version after the upgrade. The result is as follows:

    openssl upgrade

  4. Run the following code to install PAM:

    1. yum install pam* -y
  5. Upgrade OpenSSH.

    1. wget https://mirrors.evowise.com/pub/OpenBSD/OpenSSH/portable/openssh-7.4p1.tar.gz
    2. tar zxvf openssh-7.4p1.tar.gz
    3. cd openssh-7.4p1
    4. ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-privsep-path=/var/lib/sshd --with-ssl-dir=/usr/local/lib64 --without-hardening
    5. make
    6. make install
    7. # back up sshd file, and rename it to sshd_20170209_old
    8. mv /etc/init.d/sshd /etc/init.d/sshd_20170209_old
    9. # add config and init files to boot list
    10. cd /root/openssh-7.4p1/contrib/redhat
    11. cp sshd.init /etc/init.d/sshd
    12. cp ssh_config /etc/ssh/ssh_config
    13. # enter y to cover the original file (not necessary if you have renamed the original file)
    14. cp -p sshd_config /etc/ssh/sshd_config
    15. # enter y to cover the original file (not necessary if you have renamed the original file)
    16. chmod u+x /etc/init.d/sshd
    17. chkconfig --add sshd
    18. chkconfig sshd on
    19. # restrat sshd
    20. service sshd restart

    View the version after the upgrade. The latest version is displayed.

    1. ssh -V
    2. OpenSSH_7.4p1, OpenSSL 1.0.2i 22 Sep 2016

Reference

[1]. https://www.securityfocus.com/bid/94968/info
[2]. https://lwn.net/Articles/709677/
[3]. https://www.openssh.com/txt/release-7.4

Thank you! We've received your feedback.