FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

openssh -- command injection when X11Forwarding is enabled

Affected packages
openssh-portable < 7.2.p2,1
10.2 <= FreeBSD < 10.2_14
10.1 <= FreeBSD < 10.1_31
9.3 <= FreeBSD < 9.3_39

Details

VuXML ID e4644df8-e7da-11e5-829d-c80aa9043978
Discovery 2016-03-11
Entry 2016-03-11
Modified 2016-08-09

The OpenSSH project reports:

Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1).

Injection of xauth commands grants the ability to read arbitrary files under the authenticated user's privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth(1), which was not written with a hostile user in mind, as an attack surface.

Mitigation:

Set X11Forwarding=no in sshd_config. This is the default.

For authorized_keys that specify a "command" restriction, also set the "restrict" (available in OpenSSH >=7.2) or "no-x11-forwarding" restrictions.

[source]

References

CVE Name CVE-2016-3115
FreeBSD Advisory SA-16:14.openssh
URL http://www.openssh.com/txt/x11fwd.adv

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.