CVE-2016-10010 : sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which

sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.

Published 2017-01-05 02:59:03

Updated 2022-12-13 12:15:20

Source MITRE

View at NVD, CVE.org

Threat overview for CVE-2016-10010

Top countries where our scanners detected CVE-2016-10010

Top open port discovered on systems with this issue 22

IPs affected by CVE-2016-10010 2,489,754

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2016-10010!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2016-10010

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-10010

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.9	MEDIUM	AV:L/AC:M/Au:N/C:C/I:C/A:C	3.4	10.0	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.0	HIGH	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.0	5.9	NIST
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-10010

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-10010

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.647637

The Slackware Linux Project: Slackware Security Advisories

CVEs referencing this url
http://www.securityfocus.com/bid/94972

OpenSSH CVE-2016-10010 Privilege Escalation Vulnerability
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03818en_us

HPESBUX03818 rev.2 - HP-UX Secure Shell, Multiple Remote Vulnerabilities

CVEs referencing this url
https://bugs.chromium.org/p/project-zero/issues/detail?id=1010

1010 - OpenSSH: LPE via forwarded unix domain sockets if privsep is disabled - project-zero - Monorail
http://www.securitytracker.com/id/1037490

OpenSSH Multiple Flaws Let Remote Authenticated Users Gain Elevated Privileges and Local Privileged Users Obtain Host Private Keys - SecurityTracker

CVEs referencing this url
http://packetstormsecurity.com/files/140262/OpenSSH-Local-Privilege-Escalation.html

OpenSSH Local Privilege Escalation ≈ Packet Storm
https://security.netapp.com/advisory/ntap-20171130-0002/

January 2017 OpenSSH Vulnerabilities in NetApp Products | NetApp Product Security

CVEs referencing this url
https://www.exploit-db.com/exploits/40962/

OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation
https://security.FreeBSD.org/advisories/FreeBSD-SA-17:01.openssh.asc

CVEs referencing this url
https://www.openssh.com/txt/release-7.4

CVEs referencing this url
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf

CVEs referencing this url
https://github.com/openbsd/src/commit/c76fac666ea038753294f2ac94d310f8adece9ce

disable Unix-domain socket forwarding when privsep is disabled · openbsd/src@c76fac6 · GitHub
Patch
http://www.openwall.com/lists/oss-security/2016/12/19/2

oss-security - Announce: OpenSSH 7.4 released
Mailing List;Release Notes

CVEs referencing this url

Products affected by CVE-2016-10010

Openbsd » Openssh
Versions up to, including, (<=) 7.3
cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
Matching versions