copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0670.2 - UPDATE [Win][UNIX/Linux] OpenSSH: Execute arbitrary code/commands - Existing account

Date: 17 March 2016
References: ESB-2016.0709  ESB-2016.0737  ESB-2016.1043  ASB-2016.0048  ESB-2016.1943  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2016.0670.2
                   OpenSSH Security Advisory: x11fwd.adv
                               17 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenSSH
Publisher:         OpenSSH
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-3115  

Original Bulletin: 
   http://www.openssh.com/txt/x11fwd.adv

Revision History:  March 17 2016: Added CVE reference
                   March 11 2016: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

OpenSSH Security Advisory: x11fwd.adv

This document may be found at: http://www.openssh.com/txt/x11fwd.adv

1. Affected configurations

        All versions of OpenSSH prior to 7.2p2 with X11Forwarding
	enabled.

2. Vulnerability

	Missing sanitisation of untrusted input allows an
	authenticated user who is able to request X11 forwarding
	to inject commands to xauth(1).

	Injection of xauth commands grants the ability to read
	arbitrary files under the authenticated user's privilege,
	Other xauth commands allow limited information leakage,
	file overwrite, port probing and generally expose xauth(1),
	which was not written with a hostile user in mind, as an
	attack surface.

	xauth(1) is run under the user's privilege, so this
	vulnerability offers no additional access to unrestricted
	accounts, but could circumvent key or account restrictions
	such as sshd_config ForceCommand, authorized_keys
	command="..." or restricted shells.

3. Mitigation

        Set X11Forwarding=no in sshd_config. This is the default.

	For authorized_keys that specify a "command" restriction,
	also set the "restrict" (available in OpenSSH >=7.2) or
	"no-x11-forwarding" restrictions.

4. Details

        As part of establishing an X11 forwarding session, sshd(8)
	accepts an X11 authentication credential from the client.
	This credential is supplied to the xauth(1) utility to
	establish it for X11 applications that the user subsequently
	runs.

	The contents of the credential's components (authentication
	scheme and credential data) were not sanitised to exclude
	meta-characters such as newlines. An attacker could
	therefore supply a credential that injected commands to
	xauth(1). The attacker could then use a number of xauth
	commands to read or overwrite arbitrary files subject to
	file permissions, connect to local ports or perform attacks
	on xauth(1) itself.

	OpenSSH 7.2p2 implements a whitelist of characters that
	are permitted to appear in X11 authentication credentials.

5. Credit

        This issue was identified by github.com/tintinweb and
	communicated to the OpenSSH developers on March 3rd, 2016.

6. Fix

        Portable OpenSSH 7.2p2 contains a fix for this vulnerability.

	Patches for supported OpenBSD releases (5.7, 5.8 and 5.9) have
	been committed to the -STABLE branches and are available on the
	errata pages:

	http://www.openbsd.org/errata57.html
	http://www.openbsd.org/errata58.html
	http://www.openbsd.org/errata59.html

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVun/vX6ZAP0PgtI9AQKIHw//S0XkF+YKS7/cRjt1aDRiu0bXQrOpJK8x
oMxEH7oiMQV2J8G1/qkYpMn+UhRPPXZEifujtlOuBgB9UnSjOt6JOU9MwpQEHw9e
0Rw5Nt3FOcUvT4g59xwBM4VWi8dQOY8MDjtJwC5C5tFg6oxpJBBQkcKzugDAp0WC
l6j8xbXHNDkeeN5R/w6FbdlpJm8cfUiOx/LBPLHtbZelszAO0QWmsEzX2FjY3IvW
CS+vAsyfLMKB31J9+fvexd0LmElqFpH8TMPlHwk0+WyMju8qoYKEfO6TJKJxhvJA
5j1zXgL/yiVKvfSex52VSP7Iz8YeqH6dW24JE2XHJVSE0EaYXvy8Iu7JQp6j/+sQ
W6vgGHdVzJKrUmZ9ok8jy6k7YAaIL+/G5btqQQEqPwIGMZayFQHHG2f/5w5QZN1T
Jp85VlawmKzkbLM2sj/47Hu2vucbiBQIrTtzyYBy6Yo3qhMMj6QsUaeKED/DgXs7
chGb4EPlKKZKbKuF8oFgDk9OhZzDZN6PEoLkVU9yRJZJXekNCaIHqkFNHFZ6rgZI
GqqVK543PWnI+K7mtqiQOaKDBnkfoOC/fpjgvdp1x+TLeNRJifj/HL4Wnn5vAz7w
DGLHDZ7vKrZhk+YbBzt4zuOOE0WTU6EWJnEi5WQGli22NByt2Dy24/fzuy+iXHdj
8vrSFIker5Q=
=nk70
-----END PGP SIGNATURE-----