Dropbear SSH released a new version (2016.74) of the SSH server in July 2016, along with the fixes for four CVEs.
They are:
CVE-2016-7406 – Message printout is vulnerable to format string injection. If specific usernames including “%” symbols can be created on a system, an attacker could run arbitrary code as root when connecting to Dropbear server.
CVE-2016-7407 – Import of OpenSSH keys via dropbearconvert could run arbitrary code as the local dropbearconvert user when parsing malicious key files
CVE-2016-7408 – dbclient could run arbitrary code as the local dbclient user if particular -m or -c arguments are provided. This could be an issue where dbclient is used in scripts.
CVE-2016-7409 – dbclient or dropbear server could expose process memory to the running user if compiled with DEBUG_TRACE and running with -v
The IPMI/LOM component on NetScaler-based hardware appliances (such as MPX and SDX) uses Dropbear SSH server to provide SSH access. This blog post aims to address concerns surrounding these CVEs.
As a workaround for the vulnerability described in CVE-2016-7406, customers are advised to not create usernames with the ‘%’ sign to avoid being subject to privilege escalation attacks.
For the remaining CVEs – CVE-2016-7407, CVE-2016-7408, and CVE-2016-7409 – Dropbear SSH server on IPMI/LOM does not meet the required pre-conditions. IPMI/LOM does not support SSH key import, and does not include dbclient. It also does not compile with the –v option, thus effectively steering clear of the three CVEs.
As best practice, Dropbear SSH server will be upgraded to the newer version in an upcoming IPMI/LOM version.