Project

General

Profile

Bug #5285

openssh: missing sanitisation of input for X11 forwarding (CVE-2016-3115)

Added by Alicha CH about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
-
Start date:
03/18/2016
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Affected versions:
Security IDs:

Description

Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1).

Injection of xauth commands grants the ability to read arbitrary files under the authenticated user's privilege. Other xauth commands allow
limited information leakage, file overwrite, port probing and generally expose xauth(1), which was not written with a hostile user in mind, as an attack surface.

xauth(1) is run under the user's privilege, so this vulnerability offers no additional access to unrestricted accounts, but could circumvent key or account restrictions
such as sshd_config ForceCommand, authorized_keys command="..." or restricted shells.

Affected versions:

All versions of OpenSSH prior to 7.2p2 with X11Forwarding enabled.

Fixed In Version:

openssh 7.2p2

References:

http://www.openssh.com/txt/x11fwd.adv
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3115


Subtasks

Bug #5286: [3.2] openssh: missing sanitisation of input for X11 forwarding (CVE-2016-3115)ClosedNatanael Copa

Bug #5287: [3.1] openssh: missing sanitisation of input for X11 forwarding (CVE-2016-3115)ClosedNatanael Copa

Bug #5288: [3.0] openssh: missing sanitisation of input for X11 forwarding (CVE-2016-3115)ClosedNatanael Copa

History

#1 Updated by Leonardo Arena about 3 years ago

  • Status changed from New to Resolved

#2 Updated by Alicha CH about 3 years ago

  • Project changed from Alpine Security to Alpine Linux
  • Category set to Security
  • Status changed from Resolved to Closed

Also available in: Atom PDF