CVE-2016-10708

openssh: Out of sequence NEWKEYS message can allow remote attacker to cause denial of service

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.

sshd en OpenSSH, en versiones anteriores a la 7.4, permite que atacantes remotos provoquen una denegación de servicio (desreferencia de puntero NULL y cierre inesperado del demonio) mediante un mensaje NEWKEYS fuera de secuencia, tal y como demuestra Honggfuzz, relacionado con kex.c y packet.c.

USN-3809-1 fixed vulnerabilities in OpenSSH. The update for CVE-2018-15473 was incomplete and could introduce a regression in certain environments. This update fixes the problem. Robert Swiecki discovered that OpenSSH incorrectly handled certain messages. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. It was discovered that OpenSSH incorrectly handled certain requests. An attacker could possibly use this issue to access sensitive information. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-01-21 CVE Reserved
2018-01-21 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-476: NULL Pointer Dereference

CAPEC

References (13)

URL	Tag	Source
http://www.securityfocus.com/bid/102780	Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-676336.pdf	X_refsource_confirm
https://kc.mcafee.com/corporate/index?page=content&id=SB10284	X_refsource_confirm
https://lists.debian.org/debian-lts-announce/2018/01/msg00031.html	Mailing List
https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html	Mailing List
https://security.netapp.com/advisory/ntap-20180423-0003	Third Party Advisory
https://support.f5.com/csp/article/K32485746?utm_source=f5support&amp%3Butm_medium=RSS	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC
http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html	2023-11-07
https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737	2023-11-07

URL	Date	SRC
https://usn.ubuntu.com/3809-1	2023-11-07
https://www.openssh.com/releasenotes.html	2023-11-07
https://access.redhat.com/security/cve/CVE-2016-10708	2017-08-01
https://bugzilla.redhat.com/show_bug.cgi?id=1537929	2017-08-01

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Netapp Search vendor "Netapp"	Vasa Provider Search vendor "Netapp" for product "Vasa Provider"	-	-	Affected	in	Netapp Search vendor "Netapp"	Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"	-	-	Safe
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				< 7.4 Search vendor "Openbsd" for product "Openssh" and version " < 7.4"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		-		Affected
Netapp Search vendor "Netapp"		Cloud Backup Search vendor "Netapp" for product "Cloud Backup"				-		-		Affected
Netapp Search vendor "Netapp"		Data Ontap Search vendor "Netapp" for product "Data Ontap"				-		7-mode		Affected
Netapp Search vendor "Netapp"		Data Ontap Edge Search vendor "Netapp" for product "Data Ontap Edge"				-		-		Affected
Netapp Search vendor "Netapp"		Oncommand Unified Manager Search vendor "Netapp" for product "Oncommand Unified Manager"				>= 9.4 Search vendor "Netapp" for product "Oncommand Unified Manager" and version " >= 9.4"		vsphere		Affected
Netapp Search vendor "Netapp"		Service Processor Search vendor "Netapp" for product "Service Processor"				-		-		Affected
Netapp Search vendor "Netapp"		Storagegrid Search vendor "Netapp" for product "Storagegrid"				-		-		Affected
Netapp Search vendor "Netapp"		Storagegrid Webscale Search vendor "Netapp" for product "Storagegrid Webscale"				-		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				-		-		Affected