[3.0] openssh: missing sanitisation of input for X11 forwarding (CVE-2016-3115)
Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1).
Injection of xauth commands grants the ability to read arbitrary files
under the authenticated user’s privilege. Other xauth commands allow
limited information leakage, file overwrite, port probing and generally
expose xauth(1), which was not written with a hostile user in mind, as
an attack surface.
xauth(1) is run under the user’s privilege, so this vulnerability offers
no additional access to unrestricted accounts, but could circumvent key
or account restrictions
such as sshd_config ForceCommand, authorized_keys command=“…” or
restricted shells.
Affected versions:
All versions of OpenSSH prior to 7.2p2 with X11Forwarding enabled.
Fixed In Version:
openssh 7.2p2
References:
http://www.openssh.com/txt/x11fwd.adv
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-3115
(from redmine: issue id 5288, created on 2016-03-18, closed on 2016-03-23)
- Relations:
- parent #5285 (closed)
- Changesets:
- Revision b1a290f6 on 2016-03-22T11:56:04Z:
main/openssh: security fix (CVE-2016-3115). Fixes #5288