CVE-2016-10010
published 2017-01-05CVE-2016-10010: sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain…
PriorityP342high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
EXPLOIT
EPSS
4.24%
89.8th percentile
sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_sierra_10.12.4_security_update_2017-001_el_capitan_and_security_update_201 | — | — |
| debian | openssh | < openssh 1:7.4p1-1 (bookworm) | openssh 1:7.4p1-1 (bookworm) |
| openbsd | openssh | <= 7.3 | — |
| openbsd | openssh | >= 0 < 1:7.4p1-1 | 1:7.4p1-1 |
| openbsd | openssh | >= 0 < 1:7.4p1-1 | 1:7.4p1-1 |
| openbsd | openssh | >= 0 < 1:7.4p1-1 | 1:7.4p1-1 |
| openbsd | openssh | >= 0 < 1:7.4p1-1 | 1:7.4p1-1 |
| openbsd | openssh | >= 0 < 1:6.6p1-2ubuntu2.10 | 1:6.6p1-2ubuntu2.10 |
| openbsd | openssh | >= 0 < 1:7.2p2-4ubuntu2.4 | 1:7.2p2-4ubuntu2.4 |
| paloalto | pan-os | — | — |
| paloalto | prisma_sd | — | — |
CVSS provenance
nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.0HIGHCVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv7.3HIGH
vendor_ubuntu7.3HIGH
vendor_debian7.0LOW
vendor_redhat7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
OpenSSH up to 7.3 Unix-Domain Socket access control (EDB-40962 / Nessus ID 96411)
vuldb·2026-05-30·CVSS 7.0
CVE-2016-10010 [HIGH] OpenSSH up to 7.3 Unix-Domain Socket access control (EDB-40962 / Nessus ID 96411)
A vulnerability identified as critical has been detected in OpenSSH up to 7.3. The impacted element is an unknown function of the component Unix-Domain Socket Handler. The manipulation leads to improper access controls.
This vulnerability is uniquely identified as CVE-2016-10010. The attack is possible to be carried out remotely. Moreover, an exploit is present.
You should upgrade the affected component.
VulDB
Apple macOS up to 10.12.3 OpenSSH access control (HT207615 / EDB-40962)
vuldb·2026-05-30·CVSS 7.0
CVE-2016-10010 [HIGH] Apple macOS up to 10.12.3 OpenSSH access control (HT207615 / EDB-40962)
A vulnerability has been found in Apple macOS up to 10.12.3 and classified as critical. This affects an unknown part of the component OpenSSH. Performing a manipulation results in improper access controls.
This vulnerability is identified as CVE-2016-10010. The attack is only possible with local access. Additionally, an exploit exists.
The affected component should be upgraded.
GHSA
GHSA-3m33-m56x-q24g: sshd in OpenSSH before 7
ghsa_unreviewed·2022-05-14
CVE-2016-10010 [HIGH] GHSA-3m33-m56x-q24g: sshd in OpenSSH before 7
sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.
OSV
openssh vulnerabilities
osv·2018-01-22·CVSS 7.3
CVE-2016-10009 [HIGH] openssh vulnerabilities
openssh vulnerabilities
Jann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules from
untrusted directories. A remote attacker could possibly use this issue to
execute arbitrary PKCS#11 modules. This issue only affected Ubuntu 14.04
LTS and Ubuntu 16.04 LTS. (CVE-2016-10009)
Jann Horn discovered that OpenSSH incorrectly handled permissions on
Unix-domain sockets when privilege separation is disabled. A local attacker
could possibly use this issue to gain privileges. This issue only affected
Ubuntu 16.04 LTS. (CVE-2016-10010)
Jann Horn discovered that OpenSSH incorrectly handled certain buffer memory
operations. A local attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 14.04 LTS and Ubuntu
16.04 LTS. (CVE-2016-10011)
Guid
OSV
CVE-2016-10010: sshd in OpenSSH before 7
osv·2017-01-05·CVSS 7.0
CVE-2016-10010 [HIGH] CVE-2016-10010: sshd in OpenSSH before 7
sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.
Palo Alto
PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
vendor_paloalto·2024-04-05·CVSS 4.3
CVE-2007-2768 [MEDIUM] PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to Prisma SD-WAN ION. While Prisma SD-WAN ION may include the
CVEs: CVE-2007-2768, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-20012, CVE-2016-8858, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111, CVE-2020-12062, CVE-2021-41617, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-28531, CVE-2023-38408, CVE-2023-51384, CVE-2023-51385, CVE-2023-51767
Affected products: Prisma SD
CISA ICS
Siemens SCALANCE X-200RNA Switch Devices
cisa_ics·2022-12-19
Siemens SCALANCE X-200RNA Switch Devices
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SCALANCE X-200RNA Switch Devices
Last RevisedDecember 19, 2022
Alert CodeICSA-22-349-21
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Siemens
- Equipment: SCALANCE X-200RNA switch devices before V3.2.7
- Vulnerabilities: Observable Timing Discrepancy; Race Condition; Improper Restriction of Operations within the Bounds of a Memory Buffer; Improper Input Validation; NULL Pointer Dereference; Use After Free; Cryptographic Issues; Comparison of Incompatible Types; Resource Management
Palo Alto
PAN-SA-2020-0004 Informational: Third-party or open source vulnerabilities that do not affect PAN-OS
vendor_paloalto·2020-05-13·CVSS 7.5
CVE-2014-1692 [HIGH] PAN-SA-2020-0004 Informational: Third-party or open source vulnerabilities that do not affect PAN-OS
PAN-SA-2020-0004 Informational: Third-party or open source vulnerabilities that do not affect PAN-OS
Palo Alto Networks Product Security Assurance team has evaluated and determined that these third-party or open source vulnerabilities do not have a security impact on PAN-OS, or the scenarios required for successful
CVEs: CVE-2014-1692, CVE-2014-2532, CVE-2014-2653, CVE-2015-5352, CVE-2015-8325, CVE-2016-10009, CVE-2016-10010, CVE-2016-10708, CVE-2016-1908, CVE-2016-3115, CVE-2016-6515, CVE-2018-15473, CVE-2018-15919
Affected products: PAN-OS
Ubuntu
OpenSSH vulnerabilities
vendor_ubuntu·2018-01-22·CVSS 7.3
CVE-2016-10009 [HIGH] OpenSSH vulnerabilities
Title: OpenSSH vulnerabilities
Summary: Several security issues were fixed in OpenSSH.
Jann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules from
untrusted directories. A remote attacker could possibly use this issue to
execute arbitrary PKCS#11 modules. This issue only affected Ubuntu 14.04
LTS and Ubuntu 16.04 LTS. (CVE-2016-10009)
Jann Horn discovered that OpenSSH incorrectly handled permissions on
Unix-domain sockets when privilege separation is disabled. A local attacker
could possibly use this issue to gain privileges. This issue only affected
Ubuntu 16.04 LTS. (CVE-2016-10010)
Jann Horn discovered that OpenSSH incorrectly handled certain buffer memory
operations. A local attacker could possibly use this issue to obtain
sensitive information. This issue only affect
Apple
CVE-2016-10010: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
vendor_apple·2017-03-27·CVSS 7.0
CVE-2016-10010 [HIGH] CVE-2016-10010: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
Apple Security Update: About the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
Product: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
CVE: CVE-2016-10010
Component: CVE-2016-10010
BSD
FreeBSD-SA-17:01.openssh: OpenSSH multiple vulnerabilities
bsd_advisories·2017-01-11·CVSS 7.3
CVE-2016-10009 [HIGH] FreeBSD-SA-17:01.openssh: OpenSSH multiple vulnerabilities
FreeBSD-SA-17:01.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH multiple vulnerabilities
Category: contrib
Module: OpenSSH
Announced: 2017-01-11
Affects: All supported versions of FreeBSD.
Corrected: 2017-01-11 05:56:40 UTC (stable/11, 11.0-STABLE)
2017-01-11 06:01:23 UTC (releng/11.0, 11.0-RELEASE-p7)
2017-01-11 05:56:40 UTC (stable/10, 10.3-STABLE)
2017-01-11 06:01:23 UTC (releng/10.3, 10.3-RELEASE-p16)
CVE Name: CVE-2016-10009, CVE-2016-10010
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a variety of services,
including remo
Red Hat
openssh: privilege escalation via Unix domain socket forwarding
vendor_redhat·2016-12-19·CVSS 7.0
CVE-2016-10010 [HIGH] CWE-266 openssh: privilege escalation via Unix domain socket forwarding
openssh: privilege escalation via Unix domain socket forwarding
sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.
Package: openssh (Red Hat Enterprise Linux 4) - Not affected
Package: openssh (Red Hat Enterprise Linux 5) - Not affected
Package: openssh (Red Hat Enterprise Linux 6) - Not affected
Package: openssh (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2016-10010: openssh - sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwa...
vendor_debian·2016·CVSS 7.0
CVE-2016-10010 [HIGH] CVE-2016-10010: openssh - sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwa...
sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.
Scope: local
bookworm: resolved (fixed in 1:7.4p1-1)
bullseye: resolved (fixed in 1:7.4p1-1)
forky: resolved (fixed in 1:7.4p1-1)
sid: resolved (fixed in 1:7.4p1-1)
trixie: resolved (fixed in 1:7.4p1-1)
No detection rules found.
arXiv
Security of Medical Cyber-physical Systems: An Empirical Study on Imaging Devices
arxiv_fulltext·2020-01-05
Security of Medical Cyber-physical Systems: An Empirical Study on Imaging Devices
Security of Medical Cyber-physical Systems: \ Empirical Study on Imaging Devices
The authors would like to thank the vendors and developers for their help in the research. This research was financially supported by the National Key Research and Development Plan (2018YFB1004101), Key Lab of Information Network Security, Ministry of Public Security (C19614), Special fund on education and teaching reform of Besti (jy201805), the Fundamental Research Funds for the Central Universities(328201910), China Postdoctoral Science Foundation funded project, 2019 Beijing Common Construction Project-Teaching Reform and Innovation Project for Universities in Beijing, Key Laboratory of Network Assessment Technology of Institute of Information Engineering, Chinese Academy of Sciences.
Zhiqiang Wang^1,*,
Bugzilla
CVE-2016-10010 openssh: privilege escalation via Unix domain socket forwarding
bugzilla·2016-12-20·CVSS 7.0
CVE-2016-10010 [HIGH] CVE-2016-10010 openssh: privilege escalation via Unix domain socket forwarding
CVE-2016-10010 openssh: privilege escalation via Unix domain socket forwarding
It was found that when privilege separation was disabled in OpenSSH, forwarded Unix-domain sockets would be created by sshd with root privileges instead of the privileges of the authenticated user. This could allow an authenticated attacker to potentially gain root privileges on the host system.
Note: privileges separation has been enabled by default since OpenSSH 3.3/3.3p1 (2002-06-21). Thus, OpenSSH in any version of RHEL is not affected by default. An affected OpenSSH configuration would have to specifically disable privilege separation with the "UsePrivilegeSeparation no" configuration directive in /etc/ssh/sshd_config. More information is also available in https://access.redhat.com/solutions/1354953 .
CV
Bugzilla
CVE-2016-10009 CVE-2016-10010 CVE-2016-10011 CVE-2016-10012 openssh: various flaws [fedora-all]
bugzilla·2016-12-20·CVSS 7.3
CVE-2016-10009 [HIGH] CVE-2016-10009 CVE-2016-10010 CVE-2016-10011 CVE-2016-10012 openssh: various flaws [fedora-all]
CVE-2016-10009 CVE-2016-10010 CVE-2016-10011 CVE-2016-10012 openssh: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supp
http://packetstormsecurity.com/files/140262/OpenSSH-Local-Privilege-Escalation.htmlhttp://www.openwall.com/lists/oss-security/2016/12/19/2http://www.securityfocus.com/bid/94972http://www.securitytracker.com/id/1037490http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.647637https://bugs.chromium.org/p/project-zero/issues/detail?id=1010https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://github.com/openbsd/src/commit/c76fac666ea038753294f2ac94d310f8adece9cehttps://security.FreeBSD.org/advisories/FreeBSD-SA-17:01.openssh.aschttps://security.netapp.com/advisory/ntap-20171130-0002/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03818en_ushttps://www.exploit-db.com/exploits/40962/https://www.openssh.com/txt/release-7.4http://packetstormsecurity.com/files/140262/OpenSSH-Local-Privilege-Escalation.htmlhttp://www.openwall.com/lists/oss-security/2016/12/19/2http://www.securityfocus.com/bid/94972http://www.securitytracker.com/id/1037490http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.647637https://bugs.chromium.org/p/project-zero/issues/detail?id=1010https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://github.com/openbsd/src/commit/c76fac666ea038753294f2ac94d310f8adece9cehttps://security.FreeBSD.org/advisories/FreeBSD-SA-17:01.openssh.aschttps://security.netapp.com/advisory/ntap-20171130-0002/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03818en_ushttps://www.exploit-db.com/exploits/40962/https://www.openssh.com/txt/release-7.4
2017-01-05
Published