CVE-2016-10011
published 2017-01-05CVE-2016-10011: authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain…
PriorityP423medium6.2CVSS 3.1
AVLACLPRNUINSUCHINAN
EPSS
1.10%
61.6th percentile
authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_sierra_10.12.4_security_update_2017-001_el_capitan_and_security_update_201 | — | — |
| debian | openssh | < openssh 1:7.4p1-1 (bookworm) | openssh 1:7.4p1-1 (bookworm) |
| openbsd | openssh | <= 7.3 | — |
| openbsd | openssh | >= 0 < 1:7.4p1-1 | 1:7.4p1-1 |
| openbsd | openssh | >= 0 < 1:7.4p1-1 | 1:7.4p1-1 |
| openbsd | openssh | >= 0 < 1:7.4p1-1 | 1:7.4p1-1 |
| openbsd | openssh | >= 0 < 1:7.4p1-1 | 1:7.4p1-1 |
| openbsd | openssh | >= 0 < 1:6.6p1-2ubuntu2.10 | 1:6.6p1-2ubuntu2.10 |
| openbsd | openssh | >= 0 < 1:7.2p2-4ubuntu2.4 | 1:7.2p2-4ubuntu2.4 |
| paloalto | prisma_sd | — | — |
CVSS provenance
nvdv3.16.2MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
osv7.3HIGH
vendor_ubuntu7.3HIGH
vendor_debian5.5LOW
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
vendor_paloalto·2024-04-05·CVSS 4.3
CVE-2007-2768 [MEDIUM] PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to Prisma SD-WAN ION. While Prisma SD-WAN ION may include the
CVEs: CVE-2007-2768, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-20012, CVE-2016-8858, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111, CVE-2020-12062, CVE-2021-41617, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-28531, CVE-2023-38408, CVE-2023-51384, CVE-2023-51385, CVE-2023-51767
Affected products: Prisma SD
CISA ICS
Siemens SCALANCE X-200RNA Switch Devices
cisa_ics·2022-12-19
Siemens SCALANCE X-200RNA Switch Devices
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SCALANCE X-200RNA Switch Devices
Last RevisedDecember 19, 2022
Alert CodeICSA-22-349-21
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Siemens
- Equipment: SCALANCE X-200RNA switch devices before V3.2.7
- Vulnerabilities: Observable Timing Discrepancy; Race Condition; Improper Restriction of Operations within the Bounds of a Memory Buffer; Improper Input Validation; NULL Pointer Dereference; Use After Free; Cryptographic Issues; Comparison of Incompatible Types; Resource Management
Ubuntu
OpenSSH vulnerabilities
vendor_ubuntu·2018-01-22·CVSS 7.3
CVE-2016-10009 [HIGH] OpenSSH vulnerabilities
Title: OpenSSH vulnerabilities
Summary: Several security issues were fixed in OpenSSH.
Jann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules from
untrusted directories. A remote attacker could possibly use this issue to
execute arbitrary PKCS#11 modules. This issue only affected Ubuntu 14.04
LTS and Ubuntu 16.04 LTS. (CVE-2016-10009)
Jann Horn discovered that OpenSSH incorrectly handled permissions on
Unix-domain sockets when privilege separation is disabled. A local attacker
could possibly use this issue to gain privileges. This issue only affected
Ubuntu 16.04 LTS. (CVE-2016-10010)
Jann Horn discovered that OpenSSH incorrectly handled certain buffer memory
operations. A local attacker could possibly use this issue to obtain
sensitive information. This issue only affect
Apple
CVE-2016-10011: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
vendor_apple·2017-03-27·CVSS 5.5
CVE-2016-10011 [MEDIUM] CVE-2016-10011: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
Apple Security Update: About the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
Product: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
CVE: CVE-2016-10011
Component: CVE-2016-10011
Red Hat
openssh: Leak of host private key material to privilege-separated child process via realloc()
vendor_redhat·2016-12-19·CVSS 5.5
CVE-2016-10011 [MEDIUM] CWE-200 openssh: Leak of host private key material to privilege-separated child process via realloc()
openssh: Leak of host private key material to privilege-separated child process via realloc()
authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.
It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information.
Statement: It seems that this flaw is not practically exploitable, the leak of host private key material to the privilege-separated child processes is theoretical. No such leak was observed in practice for n
Debian
CVE-2016-10011: openssh - authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects ...
vendor_debian·2016·CVSS 5.5
CVE-2016-10011 [MEDIUM] CVE-2016-10011: openssh - authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects ...
authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.
Scope: local
bookworm: resolved (fixed in 1:7.4p1-1)
bullseye: resolved (fixed in 1:7.4p1-1)
forky: resolved (fixed in 1:7.4p1-1)
sid: resolved (fixed in 1:7.4p1-1)
trixie: resolved (fixed in 1:7.4p1-1)
VulDB
OpenSSH up to 7.3 Privilege Separation key management (EDB-40962 / Nessus ID 96151)
vuldb·2026-05-30·CVSS 6.2
CVE-2016-10011 [MEDIUM] OpenSSH up to 7.3 Privilege Separation key management (EDB-40962 / Nessus ID 96151)
A vulnerability labeled as critical has been found in OpenSSH up to 7.3. This affects an unknown function of the component Privilege Separation. The manipulation results in key management error.
This vulnerability was named CVE-2016-10011. The attack needs to be approached locally. In addition, an exploit is available.
The affected component should be upgraded.
VulDB
Apple macOS up to 10.12.3 OpenSSH key management (HT207615 / Nessus ID 102751)
vuldb·2026-05-30·CVSS 6.2
CVE-2016-10011 [MEDIUM] Apple macOS up to 10.12.3 OpenSSH key management (HT207615 / Nessus ID 102751)
A vulnerability was found in Apple macOS up to 10.12.3 and classified as critical. This vulnerability affects unknown code of the component OpenSSH. Executing a manipulation can lead to key management error.
This vulnerability is tracked as CVE-2016-10011. The attack is restricted to local execution. No exploit exists.
It is suggested to upgrade the affected component.
GHSA
GHSA-xcgr-wv7g-4j33: authfile
ghsa_unreviewed·2022-05-13
CVE-2016-10011 [MEDIUM] GHSA-xcgr-wv7g-4j33: authfile
authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.
OSV
openssh vulnerabilities
osv·2018-01-22·CVSS 7.3
CVE-2016-10009 [HIGH] openssh vulnerabilities
openssh vulnerabilities
Jann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules from
untrusted directories. A remote attacker could possibly use this issue to
execute arbitrary PKCS#11 modules. This issue only affected Ubuntu 14.04
LTS and Ubuntu 16.04 LTS. (CVE-2016-10009)
Jann Horn discovered that OpenSSH incorrectly handled permissions on
Unix-domain sockets when privilege separation is disabled. A local attacker
could possibly use this issue to gain privileges. This issue only affected
Ubuntu 16.04 LTS. (CVE-2016-10010)
Jann Horn discovered that OpenSSH incorrectly handled certain buffer memory
operations. A local attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 14.04 LTS and Ubuntu
16.04 LTS. (CVE-2016-10011)
Guid
OSV
CVE-2016-10011: authfile
osv·2017-01-05·CVSS 5.5
CVE-2016-10011 [MEDIUM] CVE-2016-10011: authfile
authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-10009 CVE-2016-10010 CVE-2016-10011 CVE-2016-10012 openssh: various flaws [fedora-all]
bugzilla·2016-12-20·CVSS 7.3
CVE-2016-10009 [HIGH] CVE-2016-10009 CVE-2016-10010 CVE-2016-10011 CVE-2016-10012 openssh: various flaws [fedora-all]
CVE-2016-10009 CVE-2016-10010 CVE-2016-10011 CVE-2016-10012 openssh: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supp
Bugzilla
CVE-2016-10011 openssh: Leak of host private key material to privilege-separated child process via realloc()
bugzilla·2016-12-20·CVSS 5.5
CVE-2016-10011 [MEDIUM] CVE-2016-10011 openssh: Leak of host private key material to privilege-separated child process via realloc()
CVE-2016-10011 openssh: Leak of host private key material to privilege-separated child process via realloc()
It was found that there is a theoretical leak of host private key material to privilege-separated child processes via realloc() when reading keys. No such leak was observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users.
CVE assignment:
http://seclists.org/oss-sec/2016/q4/708
External References:
https://www.openssh.com/txt/release-7.4
Discussion:
Upstream patch:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/authfile.c.diff?r1=1.121&r2=1.122
---
Created openssh tracking bugs for this issue:
Affects: fedora-all [bug 1406296]
---
Statement:
It seems that this flaw is not practically
http://www.openwall.com/lists/oss-security/2016/12/19/2http://www.securityfocus.com/bid/94977http://www.securitytracker.com/id/1037490http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.647637https://access.redhat.com/errata/RHSA-2017:2029https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-676336.pdfhttps://github.com/openbsd/src/commit/ac8147a06ed2e2403fb6b9a0c03e618a9333c0e9https://lists.debian.org/debian-lts-announce/2018/09/msg00010.htmlhttps://security.netapp.com/advisory/ntap-20171130-0002/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03818en_ushttps://www.openssh.com/txt/release-7.4http://www.openwall.com/lists/oss-security/2016/12/19/2http://www.securityfocus.com/bid/94977http://www.securitytracker.com/id/1037490http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.647637https://access.redhat.com/errata/RHSA-2017:2029https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-676336.pdfhttps://github.com/openbsd/src/commit/ac8147a06ed2e2403fb6b9a0c03e618a9333c0e9https://lists.debian.org/debian-lts-announce/2018/09/msg00010.htmlhttps://security.netapp.com/advisory/ntap-20171130-0002/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03818en_ushttps://www.openssh.com/txt/release-7.4
2017-01-05
Published