Red Hat Bugzilla – Bug 1406269
CVE-2016-10009 openssh: loading of untrusted PKCS#11 modules in ssh-agent
Last modified: 2017-11-28 17:42:58 EST
It was found that ssh-agent could load PKCS#11 modules from paths outside of a trusted whitelist. An attacker able to load a crafted PKCS#11 module across a forwarded agent channel could potentially use this flaw to execute arbitrary code on the system running the ssh-agent. Note that the attacker must have control of the forwarded agent-socket and the ability to write to the filesystem of the host running ssh-agent. This issue was fixed by only allowing the loading of module from a trusted (and configurable) whitelist. CVE assignment: http://seclists.org/oss-sec/2016/q4/708 Upstream patch: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-agent.c.diff?r1=1.214&r2=1.215&sortby=date&f=h
External References: https://www.openssh.com/txt/release-7.4
Created openssh tracking bugs for this issue: Affects: fedora-all [bug 1406296]
If we will want to fix it, we need to change the whitelist to something reasonable, because all of our PKCS#11 libraries are on x68_64 under /usr/lib64/ See the upstream discussion: http://lists.mindrot.org/pipermail/openssh-unix-dev/2017-January/035631.html
Statement: In order to exploit this flaw, the attacker needs to have control of the forwarded agent-socket and the ability to write to the filesystem of the host running ssh-agent. Because of this restriction for successful exploitation, this issue has been rated as having Moderate security impact. A future update may address this flaw.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2029 https://access.redhat.com/errata/RHSA-2017:2029