CVE-2016-1908
Published: 15 January 2016
The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server.
Notes
Author | Note |
---|---|
sbeattie | first patch needs to be applied before second one, which addresses the issue |
mdeslaur | contrary to release not, not fixed in 7.1p2: http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html |
Priority
Status
Package | Release | Status |
---|---|---|
openssh Launchpad, Ubuntu, Debian |
precise |
Released
(1:5.9p1-5ubuntu1.9)
|
trusty |
Released
(1:6.6p1-2ubuntu2.7)
|
|
upstream |
Released
(7.2)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Released
(1:6.9p1-2ubuntu0.2)
|
|
xenial |
Not vulnerable
(1:7.2p2-4)
|
|
yakkety |
Not vulnerable
(1:7.2p2-5)
|
|
zesty |
Not vulnerable
(1:7.2p2-5)
|
|
Patches: upstream: https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f upstream: https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1908
- https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html
- https://thejh.net/written-stuff/openssh-6.8-xsecurity
- http://seclists.org/oss-sec/2016/q1/115
- https://ubuntu.com/security/notices/USN-2966-1
- NVD
- Launchpad
- Debian