CVE-2016-7408 Dropbear SSH Project CVE debrief

Who should care

Administrators, developers, and product teams that ship or rely on Dropbear SSH dbclient on systems running versions 2016.73 or earlier should prioritize this issue, especially where the client is used in automated or user-facing SSH workflows.

Technical summary

The vulnerability is described as arbitrary code execution in dbclient when handling crafted -m or -c arguments. NVD classifies the issue under CWE-284 and assigns a CVSS v3.0 vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating high impact with no user interaction required and only low privileges needed in the modeled attack context. The vulnerable range in NVD covers Dropbear SSH through 2016.73, with the vendor patch reference linked in the project repository.

Defensive priority

High. The combination of code execution impact and broad confidentiality, integrity, and availability consequences makes this a priority for patch verification and inventory review.

Recommended defensive actions

• Confirm whether Dropbear SSH versions 2016.73 or earlier are deployed anywhere in your environment.
• Upgrade to a fixed Dropbear SSH release at or above 2016.74, or apply the vendor-provided patch referenced in the project repository.
• Review any products or appliances that bundle Dropbear SSH, since embedded copies may lag behind upstream releases.
• Validate exposure in automation, scripts, and management tooling that invoke dbclient.
• Use official advisories and downstream notices to cross-check remediation status across distributions.

Evidence notes

Public disclosure is dated 2017-03-03 in the CVE record. NVD’s modified record lists affected versions through 2016.73 and references the upstream patch revision eed9376a4ad6, the Openwall oss-security discussion, a Red Hat issue tracker entry, and a Gentoo GLSA. The official CVE and NVD records are the primary sources for this debrief.

Official resources