Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Jan 2017 11:04:16 +0100
From:      Miroslav Lachman <000.fbsd@quip.cz>
To:        Xin Li <delphij@delphij.net>, freebsd security <freebsd-security@freebsd.org>
Cc:        d@delphij.net
Subject:   Re: VuXML entry for openssh - 10.3 sshd in base vulnerable
Message-ID:  <5874B1A0.6060403@quip.cz>
In-Reply-To: <e6441f50-4f0f-2b6a-6a39-30f1450f2e79@delphij.net>
References:  <586BA308.8060402@quip.cz> <586FB98F.2050500@quip.cz> <e6441f50-4f0f-2b6a-6a39-30f1450f2e79@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Xin Li wrote on 2017/01/10 08:49:
>
>
> On 1/6/17 07:36, Miroslav Lachman wrote:
>> Miroslav Lachman wrote on 2017/01/03 14:11:
>>> Security entries for base are in VuXML for some time so we are checking
>>> it periodically. Now we have an alert for base sshd in 10.3-p14 and -15
>>> too.
>>>
>>> # pkg audit FreeBSD-10.3_15
>>> FreeBSD-10.3_15 is vulnerable:
>>> openssh -- multiple vulnerabilities
>>> CVE: CVE-2016-10010
>>> CVE: CVE-2016-10009
>>> WWW:
>>> https://vuxml.FreeBSD.org/freebsd/2aedd15f-ca8b-11e6-a9a5-b499baebfeaf.html
>>>
>>>
>>> 1 problem(s) in the installed packages found.
>>>
>>>
>>> But there is no advisory on
>>> https://www.freebsd.org/security/advisories.html for this problem.
>>>
>>> Is it false alarm? Or did I missed something?
>>
>> 3 days without reply...
>>
>> Please, can somebody from FreeBSD team clarify if sshd in base is
>> vulnerable or not?
>
> The default configuration is not affected by CVE-2016-10010 because
> privilege separation is enabled by default.
>
> Exploiting CVE-2016-10009 requires non-trivial control over both a SSH
> server and ability to write file on the system running ssh-agent(1).
>
> We plan to issue an advisory soon, but most of users do not need to be
> worried for the vulnerabilities as the sshd(8) vulnerability requires
> deliberately weaken the configuration, and it's hard to exploit the
> ssh-agent(1) vulnerability (if an attacker is able to exploit it, they
> already have substantial control and there would be much easier attacks
> than doing it over ssh-agent).
>
> Hope this helps.

Thank you for this clarification.

Miroslav Lachman

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5874B1A0.6060403>