Login Sign Up

CVE-2017-16228

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on systems using Dulwich with SSH subprocesses. Attackers can exploit this by providing a specially crafted SSH URL with a leading dash in the hostname, which gets interpreted as a command-line argument. This affects all users of Dulwich versions before 0.18.5 that use SSH URLs for Git operations.

💻 Affected Systems

Products:
  • Dulwich
Versions: All versions before 0.18.5
Operating Systems: All operating systems running Python
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when using SSH subprocesses with Dulwich. The vulnerability is triggered when processing SSH URLs with a leading dash in the hostname.

📦 What is this software?

Dulwich by Dulwich Project

View all CVEs affecting Dulwich →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution as the user running the Dulwich process, potentially leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Remote code execution on the vulnerable system, allowing attackers to execute arbitrary commands with the privileges of the Dulwich process.

🟢

If Mitigated

No impact if systems are patched or don't use SSH URLs with Dulwich.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward - attackers need to craft a malicious SSH URL. This is related to multiple similar vulnerabilities in other Git implementations (CVE-2017-9800, CVE-2017-12836, etc.).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.18.5 and later

Vendor Advisory: https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/

Restart Required: No

Instructions:

1. Upgrade Dulwich to version 0.18.5 or later using pip: pip install --upgrade dulwich>=0.18.5
2. Verify the upgrade completed successfully
3. No restart required as this is a Python library

🔧 Temporary Workarounds

Disable SSH URL processing

all

Prevent Dulwich from processing SSH URLs by modifying application code to reject or sanitize SSH URLs before passing them to Dulwich.

Input validation for SSH URLs

all

Implement strict input validation to reject SSH URLs containing leading dashes or other suspicious characters in hostnames.

🧯 If You Can't Patch

  • Implement network segmentation to isolate systems using vulnerable Dulwich versions
  • Deploy application-level firewalls to monitor and block suspicious SSH URL patterns

🔍 How to Verify

Check if Vulnerable:

Check Dulwich version: python -c "import dulwich; print(dulwich.__version__)" and verify it's below 0.18.5

Check Version:

python -c "import dulwich; print(dulwich.__version__)"

Verify Fix Applied:

Verify Dulwich version is 0.18.5 or higher: python -c "import dulwich; print(dulwich.__version__)"

📡 Detection & Monitoring

Log Indicators:

  • Unusual SSH connection attempts with dashes in hostnames
  • Unexpected process execution from Dulwich context

Network Indicators:

  • SSH connections to unusual destinations from Dulwich processes
  • Outbound connections following Dulwich SSH operations

SIEM Query:

process.name:dulwich AND (process.cmdline:*ssh* OR network.protocol:ssh)

📊 Metadata

CVE ID: CVE-2017-16228
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: October 29, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON