[CVE] Security Vulnerabilities in OpenSSH on Ubuntu 14.04

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1732172/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

The current installed version is: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8

Thanks for taking the time to report this bug and make Ubuntu better. You can see more information about these CVEs by using the CVE tracker. See
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8858.html
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10009.html
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10010.html
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10011.html
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10012.html

CVE-2016-8858 is disputed by upstream since the attacker can only DOS their own connection.
CVE-2016-10012 is related to pre-auth compression which has been disabled by default for > 10 years.
CVE-2016-10010 is only impactful if privilege separation is not used, however, privilege separation is enabled by default.
CVE-2016-10009 and CVE-2016-20011 are both low priority.
These issues are on the list to be fixed and will be fixed as soon as possible based on their priority.
Will your scanning software allow you to annotate findings?

Marking as incomplete given the response in comment #3

Is there a way to review CVE-2016-10009 priority in Ubuntu?

According to https://www.cvedetails.com/cve/CVE-2016-10009/ it has CVSS Score of 7.5 (High) and is easily exploitable. It is a remote code execution vulnerability in one of the components (openssh server) that are commonly exposed to outside world.

Currently no LTS version of Ubuntu is PCI DSS compliant because this bug is not fixed. As using a non-LTS version on production servers might not be an option for many companies this renders Ubuntu server unusable for them.

Ignoring a remote code execution vulnerability with CVSS score of 7.5 is bad security practice unless there is a reason that makes the vulnerability unusable as provided in #3 for other CVEs.

Hi,

Thanks for commenting on this issue.

We have rated CVE-2016-10009 as a low-priority issue because an attacker would need to control both the forwarded agent socket and write access to the filesystem of the host running the agent, an unlikely scenario. Other Linux distributions have also rated it similarly and have not rolled out updates to fix the issue.

That being said, we will be including the fix in our next round of OpenSSH security updates once a more important issue comes up.

Hi Marc,

We are new to ubuntu and like other are stuck with PCI compliance.
Given that ubuntu will not be providing the patch for above in near future ,can you let us know any mitigation steps for this. Like installing from Ubuntu17.04 repo or installing it from source?
This would be really helpful to us.

In the end we just complied this from source to upgrade the version to OpenSSH 7.4 - not ideal, but easier then upgrading the server for now. If you can upgrade the server this is the preferred method.

Basically we followed this though:

https://gist.github.com/techgaun/df66d37379df37838482c4c3470bc48e

We will likely be releasing openssh updates that include this issue in the next couple of weeks.

Hi Marc, Thanks for the update. I hope that your plan to fix these issues are more or less final. We are transitioning to Ubuntu in our organization but stuck because of this. Can I tell my users about this timeline?

Yes, I've started working on them.

thanks for confirmation

Updated have now been published:
https://usn.ubuntu.com/usn/usn-3538-1/

Marc thanks so much for quickly fixing this. I really appreciate this.

You're welcome!