Bug 1406278 (CVE-2016-10010)

Summary: CVE-2016-10010 openssh: privilege escalation via Unix domain socket forwarding
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jjelen, mattias.ellert, mgrepl, plautrba, sardella, slawomir, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh 7.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-05 06:56:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1406296, 1410321    
Bug Blocks: 1406299, 1415638    

Description Martin Prpič 2016-12-20 08:03:06 UTC 
It was found that when privilege separation was disabled in OpenSSH, forwarded Unix-domain sockets would be created by sshd with root privileges instead of the privileges of the authenticated user. This could allow an authenticated attacker to potentially gain root privileges on the host system.

Note: privileges separation has been enabled by default since OpenSSH 3.3/3.3p1 (2002-06-21). Thus, OpenSSH in any version of RHEL is not affected by default. An affected OpenSSH configuration would have to specifically disable privilege separation with the "UsePrivilegeSeparation no" configuration directive in  /etc/ssh/sshd_config. More information is also available in https://access.redhat.com/solutions/1354953 .

CVE assignment:

http://seclists.org/oss-sec/2016/q4/708

Upstream patch:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/serverloop.c.diff?r1=1.188&r2=1.189&sortby=date&f=h
Comment 1 Martin Prpič 2016-12-20 08:03:23 UTC 
External References:

https://www.openssh.com/txt/release-7.4
Comment 2 Andrej Nemec 2016-12-20 08:41:22 UTC 
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1406296]