#VU33987 CRLF injection in Dropbear - CVE-2016-3116
Vulnerability identifier: #VU33987
Vulnerability risk: Medium
CVSSv4.0: 7.4 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID:
CWE-ID:
CWE-93
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Dropbear
Server applications /
Remote management servers, RDP, SSH
Vendor: Matt Johnston
Description
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to improper input validation when processing CRLF characters. A remote authenticated user bypass intended shell-command restrictions via crafted X11 forwarding data.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Dropbear: 2013.56 - 2015.71
External links
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179261.html
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179269.html
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179870.html
https://lists.opensuse.org/opensuse-updates/2016-03/msg00105.html
https://lists.opensuse.org/opensuse-updates/2016-03/msg00113.html
https://packetstormsecurity.com/files/136251/Dropbear-SSHD-xauth-Command-Injection-Bypass.html
https://seclists.org/fulldisclosure/2016/Mar/47
https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115
https://matt.ucc.asn.au/dropbear/CHANGES
https://security.gentoo.org/glsa/201607-08
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
