CVE-2016-0778 — HIGH (8.1) — White Hats Nepal

Q: How severe is CVE-2016-0778?

CVE-2016-0778 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-0778?

Check the references section above for vendor advisories and patch information. Affected products include: Oracle Linux, Oracle Solaris, Openbsd Openssh, Apple Mac Os X, Hp Virtual Customer Access System.

Vulnerability Description

The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings.

CVSS Score

8.1

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Oracle	Linux	7
Oracle	Solaris	11.3
Openbsd	Openssh	5.4
Apple	Mac Os X	>= 10.9.0, <= 10.9.5
Hp	Virtual Customer Access System	<= 15.07
Sophos	Unified Threat Management Software	9.353

Related Weaknesses (CWE)

CWE-119

References

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10734Third Party Advisory
http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.htmlMailing ListRelease NotesThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176516.hMailing ListThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176349.htMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00006.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00007.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00008.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00009.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00013.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00014.htmlMailing ListThird Party Advisory
http://packetstormsecurity.com/files/135273/Qualys-Security-Advisory-OpenSSH-OveThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2016/Jan/44Mailing ListThird Party Advisory
http://www.debian.org/security/2016/dsa-3446Third Party Advisory
http://www.openssh.com/txt/release-7.1p2PatchRelease NotesVendor Advisory
http://www.openwall.com/lists/oss-security/2016/01/14/7ExploitMailing ListTechnical Description

FAQ

What is CVE-2016-0778?

CVE-2016-0778 is a vulnerability with a CVSS score of 8.1 (HIGH). The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly ma...

How severe is CVE-2016-0778?

CVE-2016-0778 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-0778?

Check the references section above for vendor advisories and patch information. Affected products include: Oracle Linux, Oracle Solaris, Openbsd Openssh, Apple Mac Os X, Hp Virtual Customer Access System.