search menu icon-carat-right cmu-wordmark

CERT Coordination Center

OpenSSH Client contains a client information leak vulnerability and buffer overflow

Vulnerability Note VU#456088

Original Release Date: 2016-01-14 | Last Revised: 2016-01-20

Overview

OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations.

Description

CWE-200: Information Exposure - CVE-2016-0777

According to the OpenSSH release notes for version 7.1p2 :

 The OpenSSH client code between 5.4 and 7.1 contains experimental support for resuming SSH-connections (roaming).

The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys.

The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.

CWE-122: Heap-based Buffer Overflow - CVE-2016-0778

According to Qualys, the API functions packet_write_wait() and ssh_packet_write_wait() may overflow in some scenarios after a successful reconnection.

Qualys also notes that:

    The buffer overflow, on the other hand, is present in the default configuration of the OpenSSH client but its exploitation requires two non-default options: a ProxyCommand, and either ForwardAgent (-A) or ForwardX11 (-X). This buffer overflow is therefore unlikely to have any real-world impact, but provides a particularly interesting case study.

For more information, please see Qualys's advisory. The CVSS score below is based on CVE-2016-0777.

Impact

A user that authenticates to a malicious or compromised server may reveal private data, including the user's private SSH key, or cause a buffer overflow that may lead to remote code execution in certain non-default configurations.

Solution

Apply an update

OpenSSH 7.1p2 has released to address these issues. Affected users are recommended to update as soon as possible.

If update is currently not an option, you may consider the following workaround:

Disable the 'UseRoaming' Feature

The vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the global ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.

Vendor Information

456088
 
Affected   Unknown   Unaffected

Debian GNU/Linux

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Hardened BSD

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

"We released new versions with the workaround:

https://github.com/HardenedBSD/hardenedBSD-stable/commit/831e4682e627882dec74300
52af7b74541aa79dc
https://github.com/HardenedBSD/hardenedBSD/commit/efa4e9c808a18c3f6c291981d1a463
b10ba8c514

Fixed in these version:
https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedBSD-10-ST
ABLE-v39.1
https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedBSD-11-CU
RRENT-v39.2"

OpenBSD

Notified:  January 14, 2016 Updated:  January 15, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

OpenBSD has patches available:

Vendor References

OpenSSH

Updated:  January 14, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Ubuntu

Notified:  January 14, 2016 Updated:  January 14, 2016

Statement Date:   January 14, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Updates are now available for supported releases.

Vendor References

Openwall GNU/*/Linux

Notified:  January 14, 2016 Updated:  January 20, 2016

Statement Date:   January 19, 2016

Status

  Not Affected

Vendor Statement

"Openwall GNU/*/Linux is not affected. We're using a fork of an older version of OpenSSH, from prior to the introduction of the roaming feature."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    AT&T

    Notified:  January 14, 2016 Updated:  January 14, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Alcatel-Lucent

      Notified:  January 14, 2016 Updated:  January 14, 2016

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Apple

        Notified:  January 14, 2016 Updated:  January 14, 2016

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Arch Linux

          Notified:  January 14, 2016 Updated:  January 14, 2016

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Arista Networks, Inc.

            Notified:  January 14, 2016 Updated:  January 14, 2016

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Aruba Networks

              Notified:  January 14, 2016 Updated:  January 14, 2016

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Avaya, Inc.

                Notified:  January 14, 2016 Updated:  January 14, 2016

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Barracuda Networks

                  Notified:  January 14, 2016 Updated:  January 14, 2016

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Belkin, Inc.

                    Notified:  January 14, 2016 Updated:  January 14, 2016

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      Blue Coat Systems

                      Notified:  January 14, 2016 Updated:  January 14, 2016

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Brocade Communication Systems

                        Notified:  January 14, 2016 Updated:  January 14, 2016

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          CA Technologies

                          Notified:  January 14, 2016 Updated:  January 14, 2016

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            CentOS

                            Notified:  January 14, 2016 Updated:  January 14, 2016

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              Check Point Software Technologies

                              Notified:  January 14, 2016 Updated:  January 14, 2016

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Cisco

                                Notified:  January 14, 2016 Updated:  January 14, 2016

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  CoreOS

                                  Notified:  January 14, 2016 Updated:  January 14, 2016

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    D-Link Systems, Inc.

                                    Notified:  January 14, 2016 Updated:  January 14, 2016

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      DesktopBSD

                                      Notified:  January 14, 2016 Updated:  January 14, 2016

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        DragonFly BSD Project

                                        Notified:  January 14, 2016 Updated:  January 14, 2016

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          EMC Corporation

                                          Notified:  January 14, 2016 Updated:  January 14, 2016

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            Enterasys Networks

                                            Notified:  January 14, 2016 Updated:  January 14, 2016

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              Ericsson

                                              Notified:  January 14, 2016 Updated:  January 14, 2016

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                European Registry for Internet Domains

                                                Notified:  January 14, 2016 Updated:  January 14, 2016

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  Extreme Networks

                                                  Notified:  January 14, 2016 Updated:  January 14, 2016

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    F5 Networks, Inc.

                                                    Notified:  January 14, 2016 Updated:  January 14, 2016

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      Fedora Project

                                                      Notified:  January 14, 2016 Updated:  January 14, 2016

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        Force10 Networks

                                                        Notified:  January 14, 2016 Updated:  January 14, 2016

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          Fortinet, Inc.

                                                          Notified:  January 14, 2016 Updated:  January 14, 2016

                                                          Status

                                                            Unknown

                                                          Vendor Statement

                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                          Vendor References

                                                            Foundry Brocade

                                                            Notified:  January 14, 2016 Updated:  January 14, 2016

                                                            Status

                                                              Unknown

                                                            Vendor Statement

                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                            Vendor References

                                                              FreeBSD Project

                                                              Notified:  January 14, 2016 Updated:  January 14, 2016

                                                              Status

                                                                Unknown

                                                              Vendor Statement

                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                              Vendor References

                                                                GNU adns

                                                                Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                Status

                                                                  Unknown

                                                                Vendor Statement

                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                Vendor References

                                                                  GNU glibc

                                                                  Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                  Status

                                                                    Unknown

                                                                  Vendor Statement

                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                  Vendor References

                                                                    Gentoo Linux

                                                                    Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                    Status

                                                                      Unknown

                                                                    Vendor Statement

                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                    Vendor References

                                                                      Google

                                                                      Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                      Status

                                                                        Unknown

                                                                      Vendor Statement

                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                      Vendor References

                                                                        Hewlett Packard Enterprise

                                                                        Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                        Status

                                                                          Unknown

                                                                        Vendor Statement

                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                        Vendor References

                                                                          Hitachi

                                                                          Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                          Status

                                                                            Unknown

                                                                          Vendor Statement

                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                          Vendor References

                                                                            Huawei Technologies

                                                                            Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                            Status

                                                                              Unknown

                                                                            Vendor Statement

                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                            Vendor References

                                                                              IBM eServer

                                                                              Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                              Status

                                                                                Unknown

                                                                              Vendor Statement

                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                              Vendor References

                                                                                Infoblox

                                                                                Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                Status

                                                                                  Unknown

                                                                                Vendor Statement

                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                Vendor References

                                                                                  Intel Corporation

                                                                                  Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                  Status

                                                                                    Unknown

                                                                                  Vendor Statement

                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                  Vendor References

                                                                                    Internet Systems Consortium

                                                                                    Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                    Status

                                                                                      Unknown

                                                                                    Vendor Statement

                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                    Vendor References

                                                                                      Internet Systems Consortium - DHCP

                                                                                      Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                      Status

                                                                                        Unknown

                                                                                      Vendor Statement

                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                      Vendor References

                                                                                        JH Software

                                                                                        Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                        Status

                                                                                          Unknown

                                                                                        Vendor Statement

                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                        Vendor References

                                                                                          Juniper Networks

                                                                                          Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                          Status

                                                                                            Unknown

                                                                                          Vendor Statement

                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                          Vendor References

                                                                                            McAfee

                                                                                            Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                            Status

                                                                                              Unknown

                                                                                            Vendor Statement

                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                            Vendor References

                                                                                              Microsoft Corporation

                                                                                              Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                              Status

                                                                                                Unknown

                                                                                              Vendor Statement

                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                              Vendor References

                                                                                                NEC Corporation

                                                                                                Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                Status

                                                                                                  Unknown

                                                                                                Vendor Statement

                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                Vendor References

                                                                                                  NLnet Labs

                                                                                                  Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                  Status

                                                                                                    Unknown

                                                                                                  Vendor Statement

                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                  Vendor References

                                                                                                    NetBSD

                                                                                                    Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                    Status

                                                                                                      Unknown

                                                                                                    Vendor Statement

                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                    Vendor References

                                                                                                      Nokia

                                                                                                      Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                      Status

                                                                                                        Unknown

                                                                                                      Vendor Statement

                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                      Vendor References

                                                                                                        Nominum

                                                                                                        Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                        Status

                                                                                                          Unknown

                                                                                                        Vendor Statement

                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                        Vendor References

                                                                                                          OmniTI

                                                                                                          Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                          Status

                                                                                                            Unknown

                                                                                                          Vendor Statement

                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                          Vendor References

                                                                                                            OpenDNS

                                                                                                            Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                            Status

                                                                                                              Unknown

                                                                                                            Vendor Statement

                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                            Vendor References

                                                                                                              Oracle Corporation

                                                                                                              Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                              Status

                                                                                                                Unknown

                                                                                                              Vendor Statement

                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                              Vendor References

                                                                                                                PC-BSD

                                                                                                                Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                Status

                                                                                                                  Unknown

                                                                                                                Vendor Statement

                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                Vendor References

                                                                                                                  Peplink

                                                                                                                  Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                  Status

                                                                                                                    Unknown

                                                                                                                  Vendor Statement

                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                  Vendor References

                                                                                                                    PowerDNS

                                                                                                                    Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                    Status

                                                                                                                      Unknown

                                                                                                                    Vendor Statement

                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                    Vendor References

                                                                                                                      Q1 Labs

                                                                                                                      Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                      Status

                                                                                                                        Unknown

                                                                                                                      Vendor Statement

                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                      Vendor References

                                                                                                                        QNX Software Systems Inc.

                                                                                                                        Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                        Status

                                                                                                                          Unknown

                                                                                                                        Vendor Statement

                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                        Vendor References

                                                                                                                          Red Hat, Inc.

                                                                                                                          Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                          Status

                                                                                                                            Unknown

                                                                                                                          Vendor Statement

                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                          Vendor References

                                                                                                                            SUSE Linux

                                                                                                                            Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                            Status

                                                                                                                              Unknown

                                                                                                                            Vendor Statement

                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                            Vendor References

                                                                                                                              SafeNet

                                                                                                                              Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                              Status

                                                                                                                                Unknown

                                                                                                                              Vendor Statement

                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                              Vendor References

                                                                                                                                Secure64 Software Corporation

                                                                                                                                Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                Status

                                                                                                                                  Unknown

                                                                                                                                Vendor Statement

                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                Vendor References

                                                                                                                                  Slackware Linux Inc.

                                                                                                                                  Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                  Status

                                                                                                                                    Unknown

                                                                                                                                  Vendor Statement

                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                  Vendor References

                                                                                                                                    SmoothWall

                                                                                                                                    Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                    Status

                                                                                                                                      Unknown

                                                                                                                                    Vendor Statement

                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                    Vendor References

                                                                                                                                      Snort

                                                                                                                                      Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                      Status

                                                                                                                                        Unknown

                                                                                                                                      Vendor Statement

                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                      Vendor References

                                                                                                                                        Sony Corporation

                                                                                                                                        Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                        Status

                                                                                                                                          Unknown

                                                                                                                                        Vendor Statement

                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                        Vendor References

                                                                                                                                          Sourcefire

                                                                                                                                          Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                          Status

                                                                                                                                            Unknown

                                                                                                                                          Vendor Statement

                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                          Vendor References

                                                                                                                                            Symantec

                                                                                                                                            Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                            Status

                                                                                                                                              Unknown

                                                                                                                                            Vendor Statement

                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                            Vendor References

                                                                                                                                              TippingPoint Technologies Inc.

                                                                                                                                              Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                              Status

                                                                                                                                                Unknown

                                                                                                                                              Vendor Statement

                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                              Vendor References

                                                                                                                                                Turbolinux

                                                                                                                                                Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                                Status

                                                                                                                                                  Unknown

                                                                                                                                                Vendor Statement

                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                Vendor References

                                                                                                                                                  Unisys

                                                                                                                                                  Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                                  Status

                                                                                                                                                    Unknown

                                                                                                                                                  Vendor Statement

                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                  Vendor References

                                                                                                                                                    VMware

                                                                                                                                                    Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                                    Status

                                                                                                                                                      Unknown

                                                                                                                                                    Vendor Statement

                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                    Vendor References

                                                                                                                                                      Wind River

                                                                                                                                                      Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                                      Status

                                                                                                                                                        Unknown

                                                                                                                                                      Vendor Statement

                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                      Vendor References

                                                                                                                                                        ZyXEL

                                                                                                                                                        Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                                        Status

                                                                                                                                                          Unknown

                                                                                                                                                        Vendor Statement

                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                        Vendor References

                                                                                                                                                          dnsmasq

                                                                                                                                                          Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                                          Status

                                                                                                                                                            Unknown

                                                                                                                                                          Vendor Statement

                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                          Vendor References

                                                                                                                                                            gdnsd

                                                                                                                                                            Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                                            Status

                                                                                                                                                              Unknown

                                                                                                                                                            Vendor Statement

                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                            Vendor References

                                                                                                                                                              m0n0wall

                                                                                                                                                              Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                                              Status

                                                                                                                                                                Unknown

                                                                                                                                                              Vendor Statement

                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                              Vendor References

                                                                                                                                                                openSUSE project

                                                                                                                                                                Notified:  January 14, 2016 Updated:  January 14, 2016

                                                                                                                                                                Status

                                                                                                                                                                  Unknown

                                                                                                                                                                Vendor Statement

                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                Vendor References

                                                                                                                                                                  View all 86 vendors View less vendors


                                                                                                                                                                  CVSS Metrics

                                                                                                                                                                  Group Score Vector
                                                                                                                                                                  Base 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N
                                                                                                                                                                  Temporal 3.6 E:F/RL:OF/RC:C
                                                                                                                                                                  Environmental 2.7 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

                                                                                                                                                                  References

                                                                                                                                                                  Acknowledgements

                                                                                                                                                                  This issue was previously coordinated and publicly disclosed by the Qualys Security Advisory Team.

                                                                                                                                                                  This document was written by Brian Gardiner and Garret Wassermann.

                                                                                                                                                                  Other Information

                                                                                                                                                                  CVE IDs: CVE-2016-0777, CVE-2016-0778
                                                                                                                                                                  Date Public: 2016-01-14
                                                                                                                                                                  Date First Published: 2016-01-14
                                                                                                                                                                  Date Last Updated: 2016-01-20 19:49 UTC
                                                                                                                                                                  Document Revision: 45

                                                                                                                                                                  Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.