cbcvebase.
CVE-2016-10009
published 2017-01-05

CVE-2016-10009: Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by…

PriorityP266high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EXPLOIT
EPSS
37.43%
98.3th percentile
Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.

Affected

21 ranges
VendorProductVersion rangeFixed in
applemacos_sierra_10.12.4_security_update_2017-001_el_capitan_and_security_update_201
debianopenssh< openssh 1:9.2p1-2+deb12u1 (bookworm)openssh 1:9.2p1-2+deb12u1 (bookworm)
debianopenssh< openssh 1:7.4p1-1 (bookworm)openssh 1:7.4p1-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
msrccbl2_openssh_8.9p1-1_on_cbl_mariner_2.0
msrccm1_openssh_8.9p1-3_on_cbl_mariner_1.0
openbsdopenssh< 9.39.3
openbsdopenssh<= 7.3
openbsdopenssh
openbsdopenssh>= 0 < 1:7.4p1-11:7.4p1-1
openbsdopenssh>= 0 < 1:8.4p1-5+deb11u21:8.4p1-5+deb11u2
openbsdopenssh>= 0 < 1:7.4p1-11:7.4p1-1
openbsdopenssh>= 0 < 1:9.2p1-2+deb12u11:9.2p1-2+deb12u1
openbsdopenssh>= 0 < 1:7.4p1-11:7.4p1-1
openbsdopenssh>= 0 < 1:9.3p2-11:9.3p2-1
openbsdopenssh>= 0 < 1:7.4p1-11:7.4p1-1
openbsdopenssh>= 0 < 1:9.3p2-11:9.3p2-1
openbsdopenssh>= 0 < 1:6.6p1-2ubuntu2.101:6.6p1-2ubuntu2.10
openbsdopenssh>= 0 < 1:7.2p2-4ubuntu2.41:7.2p2-4ubuntu2.4
paloaltopan-os

Detection & IOCsextracted from sources · hover to see the quote

filenameevil_lib.so
commandssh-add -s [...]/evil_lib.so
commandssh -A
  • Monitor for ssh-agent processes loading shared libraries (.so files) from non-standard or user-writable paths via dlopen(), as the vulnerable code path passes attacker-controlled provider names directly to dlopen() without path validation.
  • Detect use of 'ssh -A' (agent forwarding) combined with connections to untrusted or external SSH servers, which is the prerequisite attack vector for this vulnerability.
  • Audit SSH client configuration files and invocations for 'ForwardAgent' directive or '-A' argument to identify hosts where agent forwarding is enabled, as this is required for exploitation.
  • Monitor for SSH_AGENT_FAILURE responses following ssh-add -s calls with arbitrary .so paths, which may indicate an attempted or successful PKCS#11 module injection.
  • ·Agent forwarding is disabled by default; exploitation requires the user to have explicitly enabled it via 'ForwardAgent yes' or the '-A' flag. Environments where agent forwarding is not used are not exposed.
  • ·Exploitation also requires the attacker to have the ability to write a malicious shared library to the victim's filesystem, in addition to controlling the forwarded agent-socket.
  • ·Exploitation can be prevented by starting ssh-agent with an empty PKCS#11/FIDO allowlist or a restrictive one, regardless of patching status.
  • ·The original fix for CVE-2016-10009 was incomplete; CVE-2023-38408 represents the same class of vulnerability persisting in OpenSSH before 9.3p2, including unsafe loading from /usr/lib.

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv3.07.3HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.3HIGH
vulncheck7.3HIGH
vendor_msrc9.8CRITICAL
vendor_debian7.3LOW
vendor_redhat7.3HIGH
vendor_ubuntu7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.