CVE-2016-7406: Format string vulnerability in Dropbear SSH


False positive


CVE-2016-7406 CVE-2016-7407 CVE-2016-7408 CVE-2016-7409


Format string vulnerability in Dropbear SSH before 2016.74 allows remote attackers to execute arbitrary code via format string specifiers in the (1) username or (2) host argument.

Unitrends assessment:  OS software is Not Exposed

The dropbear ssh server is not the same as the openssh-server package. Our CentOS installations use the openssh-server package instead.

However, if the Unitrends system has SuperMicro X10DRH-CT firmware 3.26, this firmware version includes a DropBear SSH instance for a firmware management CLI, if the IPMI LAN port is configured and \enabled. 



Unitrends servers:  OS software is Not Exposed.  dropbear ssh is not installed, so this is a false positive if shown in a scan for the OS IP address.
The flaw was fixed in a dropbear-2016.74 package from the Fedora EPEL repository.

If the scan shows this on the IPMI LAN IP address, below is the resolution for the SuperMicro firmware.
For the SuperMicro firmware instance, run 'ipmiutil health' to check if the system has firmware 3.26:

[root@Recovery926S ~]# ipmiutil health
ipmiutil ver 3.01
ihealth ver 3.01
BMC manufacturer  = 002a7c (SuperMicro), product = 0859 (X10DRH)
BMC version       = 3.26, IPMI v2.0

If so, upgrading the SuperMicro firmware to X10DRH firmware version 3.65 via the IPMI LAN web interface will resolve this.  


Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section