Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.0670.2 OpenSSH Security Advisory: x11fwd.adv 17 March 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenSSH Publisher: OpenSSH Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-3115 Original Bulletin: http://www.openssh.com/txt/x11fwd.adv Revision History: March 17 2016: Added CVE reference March 11 2016: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- OpenSSH Security Advisory: x11fwd.adv This document may be found at: http://www.openssh.com/txt/x11fwd.adv 1. Affected configurations All versions of OpenSSH prior to 7.2p2 with X11Forwarding enabled. 2. Vulnerability Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1). Injection of xauth commands grants the ability to read arbitrary files under the authenticated user's privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth(1), which was not written with a hostile user in mind, as an attack surface. xauth(1) is run under the user's privilege, so this vulnerability offers no additional access to unrestricted accounts, but could circumvent key or account restrictions such as sshd_config ForceCommand, authorized_keys command="..." or restricted shells. 3. Mitigation Set X11Forwarding=no in sshd_config. This is the default. For authorized_keys that specify a "command" restriction, also set the "restrict" (available in OpenSSH >=7.2) or "no-x11-forwarding" restrictions. 4. Details As part of establishing an X11 forwarding session, sshd(8) accepts an X11 authentication credential from the client. This credential is supplied to the xauth(1) utility to establish it for X11 applications that the user subsequently runs. The contents of the credential's components (authentication scheme and credential data) were not sanitised to exclude meta-characters such as newlines. An attacker could therefore supply a credential that injected commands to xauth(1). The attacker could then use a number of xauth commands to read or overwrite arbitrary files subject to file permissions, connect to local ports or perform attacks on xauth(1) itself. OpenSSH 7.2p2 implements a whitelist of characters that are permitted to appear in X11 authentication credentials. 5. Credit This issue was identified by github.com/tintinweb and communicated to the OpenSSH developers on March 3rd, 2016. 6. Fix Portable OpenSSH 7.2p2 contains a fix for this vulnerability. Patches for supported OpenBSD releases (5.7, 5.8 and 5.9) have been committed to the -STABLE branches and are available on the errata pages: http://www.openbsd.org/errata57.html http://www.openbsd.org/errata58.html http://www.openbsd.org/errata59.html - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVun/vX6ZAP0PgtI9AQKIHw//S0XkF+YKS7/cRjt1aDRiu0bXQrOpJK8x oMxEH7oiMQV2J8G1/qkYpMn+UhRPPXZEifujtlOuBgB9UnSjOt6JOU9MwpQEHw9e 0Rw5Nt3FOcUvT4g59xwBM4VWi8dQOY8MDjtJwC5C5tFg6oxpJBBQkcKzugDAp0WC l6j8xbXHNDkeeN5R/w6FbdlpJm8cfUiOx/LBPLHtbZelszAO0QWmsEzX2FjY3IvW CS+vAsyfLMKB31J9+fvexd0LmElqFpH8TMPlHwk0+WyMju8qoYKEfO6TJKJxhvJA 5j1zXgL/yiVKvfSex52VSP7Iz8YeqH6dW24JE2XHJVSE0EaYXvy8Iu7JQp6j/+sQ W6vgGHdVzJKrUmZ9ok8jy6k7YAaIL+/G5btqQQEqPwIGMZayFQHHG2f/5w5QZN1T Jp85VlawmKzkbLM2sj/47Hu2vucbiBQIrTtzyYBy6Yo3qhMMj6QsUaeKED/DgXs7 chGb4EPlKKZKbKuF8oFgDk9OhZzDZN6PEoLkVU9yRJZJXekNCaIHqkFNHFZ6rgZI GqqVK543PWnI+K7mtqiQOaKDBnkfoOC/fpjgvdp1x+TLeNRJifj/HL4Wnn5vAz7w DGLHDZ7vKrZhk+YbBzt4zuOOE0WTU6EWJnEi5WQGli22NByt2Dy24/fzuy+iXHdj 8vrSFIker5Q= =nk70 -----END PGP SIGNATURE-----