CVE-2016-10012
published 2017-01-05CVE-2016-10012: The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all…
PriorityP343high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
1.28%
66.4th percentile
The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_sierra_10.12.4_security_update_2017-001_el_capitan_and_security_update_201 | — | — |
| debian | openssh | < openssh 1:7.4p1-1 (bookworm) | openssh 1:7.4p1-1 (bookworm) |
| openbsd | openssh | <= 7.3 | — |
| openbsd | openssh | >= 0 < 1:7.4p1-1 | 1:7.4p1-1 |
| openbsd | openssh | >= 0 < 1:7.4p1-1 | 1:7.4p1-1 |
| openbsd | openssh | >= 0 < 1:7.4p1-1 | 1:7.4p1-1 |
| openbsd | openssh | >= 0 < 1:7.4p1-1 | 1:7.4p1-1 |
| openbsd | openssh | >= 0 < 1:6.6p1-2ubuntu2.10 | 1:6.6p1-2ubuntu2.10 |
| openbsd | openssh | >= 0 < 1:7.2p2-4ubuntu2.4 | 1:7.2p2-4ubuntu2.4 |
| paloalto | pan-os | — | — |
| paloalto | prisma_sd | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8LOW
vendor_redhat7.8HIGH
vendor_ubuntu7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Apple macOS up to 10.12.3 OpenSSH memory corruption (HT207615 / Nessus ID 102751)
vuldb·2026-05-30·CVSS 7.8
CVE-2016-10012 [HIGH] Apple macOS up to 10.12.3 OpenSSH memory corruption (HT207615 / Nessus ID 102751)
A vulnerability was found in Apple macOS up to 10.12.3. It has been classified as critical. This issue affects some unknown processing of the component OpenSSH. The manipulation leads to memory corruption.
This vulnerability is listed as CVE-2016-10012. The attack must be carried out locally. There is no available exploit.
Upgrading the affected component is recommended.
VulDB
OpenSSH up to 7.3 Shared Memory Manager memory corruption (EDB-40962 / Nessus ID 96151)
vuldb·2026-05-30·CVSS 7.8
CVE-2016-10012 [HIGH] OpenSSH up to 7.3 Shared Memory Manager memory corruption (EDB-40962 / Nessus ID 96151)
A vulnerability marked as critical has been reported in OpenSSH up to 7.3. This impacts an unknown function of the component Shared Memory Manager. This manipulation causes memory corruption.
The identification of this vulnerability is CVE-2016-10012. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.
It is suggested to upgrade the affected component.
GHSA
GHSA-f4jf-rwp2-rx83: The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7
ghsa_unreviewed·2022-05-14
CVE-2016-10012 [HIGH] CWE-119 GHSA-f4jf-rwp2-rx83: The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7
The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.
OSV
openssh vulnerabilities
osv·2018-01-22·CVSS 7.3
CVE-2016-10009 [HIGH] openssh vulnerabilities
openssh vulnerabilities
Jann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules from
untrusted directories. A remote attacker could possibly use this issue to
execute arbitrary PKCS#11 modules. This issue only affected Ubuntu 14.04
LTS and Ubuntu 16.04 LTS. (CVE-2016-10009)
Jann Horn discovered that OpenSSH incorrectly handled permissions on
Unix-domain sockets when privilege separation is disabled. A local attacker
could possibly use this issue to gain privileges. This issue only affected
Ubuntu 16.04 LTS. (CVE-2016-10010)
Jann Horn discovered that OpenSSH incorrectly handled certain buffer memory
operations. A local attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 14.04 LTS and Ubuntu
16.04 LTS. (CVE-2016-10011)
Guid
OSV
CVE-2016-10012: The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7
osv·2017-01-05·CVSS 7.8
CVE-2016-10012 [HIGH] CVE-2016-10012: The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7
The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.
Palo Alto
PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
vendor_paloalto·2024-04-05·CVSS 4.3
CVE-2007-2768 [MEDIUM] PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to Prisma SD-WAN ION. While Prisma SD-WAN ION may include the
CVEs: CVE-2007-2768, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-20012, CVE-2016-8858, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111, CVE-2020-12062, CVE-2021-41617, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-28531, CVE-2023-38408, CVE-2023-51384, CVE-2023-51385, CVE-2023-51767
Affected products: Prisma SD
CISA ICS
Siemens SCALANCE X-200RNA Switch Devices
cisa_ics·2022-12-19
Siemens SCALANCE X-200RNA Switch Devices
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SCALANCE X-200RNA Switch Devices
Last RevisedDecember 19, 2022
Alert CodeICSA-22-349-21
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Siemens
- Equipment: SCALANCE X-200RNA switch devices before V3.2.7
- Vulnerabilities: Observable Timing Discrepancy; Race Condition; Improper Restriction of Operations within the Bounds of a Memory Buffer; Improper Input Validation; NULL Pointer Dereference; Use After Free; Cryptographic Issues; Comparison of Incompatible Types; Resource Management
Palo Alto
PAN-SA-2020-0005 PAN-OS: OpenSSH software upgraded to resolve multiple vulnerabilities
vendor_paloalto·2020-05-13·CVSS 7.8
CVE-2016-10012 [HIGH] CWE-119 PAN-SA-2020-0005 PAN-OS: OpenSSH software upgraded to resolve multiple vulnerabilities
PAN-SA-2020-0005 PAN-OS: OpenSSH software upgraded to resolve multiple vulnerabilities
OpenSSH software included with PAN-OS has been upgraded to resolve security vulnerability CVE-2016-10012. Additionally, code changes have been made to the server component of the OpenSSH software included in PAN-OS in response to CVE-2015-8325 and CVE-2016-1908 though PAN-OS is not impacted by these issues. This issues affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.1; All versions of PAN-OS 8.0. CVE CVSS Summary CVE-2016-10012 7.8 ( CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ) The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enf
Ubuntu
OpenSSH vulnerabilities
vendor_ubuntu·2018-01-22·CVSS 7.3
CVE-2016-10009 [HIGH] OpenSSH vulnerabilities
Title: OpenSSH vulnerabilities
Summary: Several security issues were fixed in OpenSSH.
Jann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules from
untrusted directories. A remote attacker could possibly use this issue to
execute arbitrary PKCS#11 modules. This issue only affected Ubuntu 14.04
LTS and Ubuntu 16.04 LTS. (CVE-2016-10009)
Jann Horn discovered that OpenSSH incorrectly handled permissions on
Unix-domain sockets when privilege separation is disabled. A local attacker
could possibly use this issue to gain privileges. This issue only affected
Ubuntu 16.04 LTS. (CVE-2016-10010)
Jann Horn discovered that OpenSSH incorrectly handled certain buffer memory
operations. A local attacker could possibly use this issue to obtain
sensitive information. This issue only affect
Apple
CVE-2016-10012: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
vendor_apple·2017-03-27·CVSS 7.8
CVE-2016-10012 [HIGH] CVE-2016-10012: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
Apple Security Update: About the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
Product: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
CVE: CVE-2016-10012
Component: CVE-2016-10012
Red Hat
openssh: Bounds check can be evaded in the shared memory manager used by pre-authentication compression support
vendor_redhat·2016-12-19·CVSS 7.8
CVE-2016-10012 [HIGH] CWE-287 openssh: Bounds check can be evaded in the shared memory manager used by pre-authentication compression support
openssh: Bounds check can be evaded in the shared memory manager used by pre-authentication compression support
The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.
It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process.
Statement: In order to exploit this f
Debian
CVE-2016-10012: openssh - The shared memory manager (associated with pre-authentication compression) in ss...
vendor_debian·2016·CVSS 7.8
CVE-2016-10012 [HIGH] CVE-2016-10012: openssh - The shared memory manager (associated with pre-authentication compression) in ss...
The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.
Scope: local
bookworm: resolved (fixed in 1:7.4p1-1)
bullseye: resolved (fixed in 1:7.4p1-1)
forky: resolved (fixed in 1:7.4p1-1)
sid: resolved (fixed in 1:7.4p1-1)
trixie: resolved (fixed in 1:7.4p1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-10012 openssh: Bounds check can be evaded in the shared memory manager used by pre-authentication compression support
bugzilla·2016-12-20·CVSS 7.8
CVE-2016-10012 [HIGH] CVE-2016-10012 openssh: Bounds check can be evaded in the shared memory manager used by pre-authentication compression support
CVE-2016-10012 openssh: Bounds check can be evaded in the shared memory manager used by pre-authentication compression support
It was found that the shared memory manager used by pre-authentication compression support had a bounds checks that could be elided by some optimising compilers. Additionally, this memory manager was incorrectly accessible when pre-authentication compression was disabled. This could potentially allow attacks against the privileged monitor process from the sandboxed privilege-separation process (a compromise of the latter would be required first).
CVE assignment:
http://seclists.org/oss-sec/2016/q4/708
External References:
https://www.openssh.com/txt/release-7.4
Discussion:
Upstream patches:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.
Bugzilla
CVE-2016-10009 CVE-2016-10010 CVE-2016-10011 CVE-2016-10012 openssh: various flaws [fedora-all]
bugzilla·2016-12-20·CVSS 7.3
CVE-2016-10009 [HIGH] CVE-2016-10009 CVE-2016-10010 CVE-2016-10011 CVE-2016-10012 openssh: various flaws [fedora-all]
CVE-2016-10009 CVE-2016-10010 CVE-2016-10011 CVE-2016-10012 openssh: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supp
http://www.openwall.com/lists/oss-security/2016/12/19/2http://www.securityfocus.com/bid/94975http://www.securitytracker.com/id/1037490http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.647637https://access.redhat.com/errata/RHSA-2017:2029https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://github.com/openbsd/src/commit/3095060f479b86288e31c79ecbc5131a66bcd2f9https://lists.debian.org/debian-lts-announce/2018/09/msg00010.htmlhttps://security.netapp.com/advisory/ntap-20171130-0002/https://support.f5.com/csp/article/K62201745?utm_source=f5support&%3Butm_medium=RSShttps://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03818en_ushttps://www.openssh.com/txt/release-7.4http://www.openwall.com/lists/oss-security/2016/12/19/2http://www.securityfocus.com/bid/94975http://www.securitytracker.com/id/1037490http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.647637https://access.redhat.com/errata/RHSA-2017:2029https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://github.com/openbsd/src/commit/3095060f479b86288e31c79ecbc5131a66bcd2f9https://lists.debian.org/debian-lts-announce/2018/09/msg00010.htmlhttps://security.netapp.com/advisory/ntap-20171130-0002/https://support.f5.com/csp/article/K62201745?utm_source=f5support&%3Butm_medium=RSShttps://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03818en_ushttps://www.openssh.com/txt/release-7.4
2017-01-05
Published