CVE-2016-6902 – CVE-2016-6902 is a privilege escalation vulnera... (How to Fix)

Q: What is the severity of CVE-2016-6902?

CVE-2016-6902 has a CVSS score of 9.9 (CRITICAL). CVE-2016-6902 is a privilege escalation vulnerability in lshell (limited shell) that allows authenticated users to escape the restricted shell environment and execute arbitrary commands with the privileges of the lshell process. This affects systems using lshell to restrict user access, particularly in multi-user environments like shared hosting or educational systems.

📋 TL;DR

CVE-2016-6902 is a privilege escalation vulnerability in lshell (limited shell) that allows authenticated users to escape the restricted shell environment and execute arbitrary commands with the privileges of the lshell process. This affects systems using lshell to restrict user access, particularly in multi-user environments like shared hosting or educational systems.

💻 Affected Systems

Products:

lshell

Versions: 0.9.16 and earlier

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where lshell is configured as the login shell for users. The vulnerability exists in the default configuration.

📦 What is this software?

Lshell by Lshell Project

View all CVEs affecting Lshell →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker gains full shell access and can execute arbitrary commands with the privileges of the lshell process, potentially leading to complete system compromise, data theft, or lateral movement.

🟠

Likely Case

Restricted users bypass intended security controls to access unauthorized files, execute prohibited commands, or escalate privileges within the system.

🟢

If Mitigated

With proper network segmentation and minimal privileges, impact is limited to the isolated environment where lshell runs.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to a user account configured with lshell. The vulnerability is well-documented with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.17 and later

Vendor Advisory: https://github.com/ghantoos/lshell/commit/a686f71732a3d0f16df52ef46ab8a49ee0083c68

Restart Required: No

Instructions:

1. Update lshell to version 0.9.17 or later using your package manager. 2. For Debian/Ubuntu: sudo apt-get update && sudo apt-get install lshell. 3. For manual installation: Download from GitHub and follow installation instructions.

🔧 Temporary Workarounds

Remove lshell as login shell

linux

Temporarily change affected users' login shells to a standard shell like /bin/bash while maintaining other restrictions.

sudo usermod -s /bin/bash username

Implement additional access controls

linux

Use sudo restrictions, filesystem permissions, and mandatory access controls to limit what users can do even if they escape lshell.

🧯 If You Can't Patch

Implement strict network segmentation to isolate systems using lshell
Monitor for unusual command execution patterns and implement behavioral detection

🔍 How to Verify

Check if Vulnerable:

Check lshell version: lshell --version. If version is 0.9.16 or earlier, the system is vulnerable.

Check Version:

lshell --version

Verify Fix Applied:

After updating, verify version is 0.9.17 or later: lshell --version

📡 Detection & Monitoring

Log Indicators:

Unusual command execution from lshell users
Failed attempts to execute restricted commands
User sessions showing shell escape patterns

Network Indicators:

Unexpected outbound connections from lshell user accounts
Unusual SSH or terminal activity patterns

SIEM Query:

source="auth.log" AND ("lshell" AND ("failed" OR "unauthorized" OR "escape"))

📊 Metadata

CVE ID: CVE-2016-6902

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-264

Published: April 24, 2017

Last Updated: April 20, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2016/08/22/17 Mailing List,Patch,Third Party Advisory
http://www.securityfocus.com/bid/92591 Third Party Advisory,VDB Entry
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834949 Issue Tracking,Patch,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1369345 Issue Tracking,Patch
https://github.com/ghantoos/lshell/commit/a686f71732a3d0f16df52ef46ab8a49ee0083c68 Issue Tracking,Patch,Third Party Advisory
https://github.com/ghantoos/lshell/issues/147 Issue Tracking,Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/08/22/17 Mailing List,Patch,Third Party Advisory
http://www.securityfocus.com/bid/92591 Third Party Advisory,VDB Entry
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834949 Issue Tracking,Patch,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1369345 Issue Tracking,Patch
https://github.com/ghantoos/lshell/commit/a686f71732a3d0f16df52ef46ab8a49ee0083c68 Issue Tracking,Patch,Third Party Advisory
https://github.com/ghantoos/lshell/issues/147 Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-6902, you might also want to check these: