Dropbear SSH Server < 2016.72 Multiple Vulnerabilities

  • 2
  • Question
  • Updated 1 year ago
We have found the vulnerability below and I wonder is there an update we can apply to patch against this. We are currently at version 9.10.0.0 build 218.

Vulnerability details as follows:
DescriptionAccording to its self-reported version in its banner, Dropbear SSH running on the remote host is prior to 2016.74. It is, therefore, affected by the following vulnerabilities :

- A format string flaw exists due to improper handling of string format specifiers (e.g., %s and %x) in usernames and host arguments. An unauthenticated, remote attacker can exploit this to execute arbitrary code with root privileges. (CVE-2016-7406)

- A flaw exists in dropbearconvert due to improper handling of specially crafted OpenSSH key files. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-7407)

- A flaw exists in dbclient when handling the -m or -c arguments in scripts. An unauthenticated, remote attacker can exploit this, via a specially crafted script, to execute arbitrary code. (CVE-2016-7408)

- A flaw exists in dbclient or dropbear server if they are compiled with the DEBUG_TRACE option and then run using the -v switch. A local attacker can exploit this to disclose process memory. (CVE-2016-7409)

Solution
Upgrade to Dropbear SSH version 2016.74 or later.

See Also
https://matt.ucc.asn.au/dropbear/CHANGES
Photo of David Fay

David Fay

  • 2 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 2
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
Hello David,
   Dropbear is used as the webserver on APs and ZD's SSH, and not on Solo APs, and this
will be fixed in ZD 10.0.  See security advisory on https://www.ruckuswireless.com/security.
Photo of David Fay

David Fay

  • 2 Posts
  • 0 Reply Likes
Do you know the provisional release date for this? I couldn't see CVE-2016-7406 in these advisories.