• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Openssh xauth command injection vulnerability

Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
3 Posts 3 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    slifdrop
    last edited by Sep 19, 2017, 1:23 AM

    Hi,
    I've scanned the pfsense system and found the vulnerability with Qualys scanner on the SSH port.
    OpenSSH versions before 7.2p2 are vulnerable.

    When will a version of OpenSSH after 7.2p2 be made availabe?

    Thanks,
    Mike

    Affected Versions:
    OpenSSH versions prior to 7.2p2

    Qualys . QID:38623
    CVE ID:  CVE-2016-3115
    Bugtraq ID: 84314
    CVSS Base: 5.4
    CVSS Temporal: 4.3
    <quote>The sshd server fails to validate user-supplied X11 authentication credentials when establishing an X11 forwarding session. An authenticated user may inject arbitrary xauth commands by sending an x11 channel request that includes a newline character in the x11 cookie.
    Please note that Systems with X11Forwarding enabled are affected.
    IMPACT:
    An authenticated, remote attacker can exploit this vulnerability to execute arbitrary commands on the targeted system.
    SOLUTION:
    Users are advised to upgrade to the latest version of the software available. Refer to OpenSSH 7.2p2 Release Notes (http://www.openssh.com/txt/ release-7.2p2) for further information.</quote>

    EXPLOITABILITY: The Exploit-DB Reference:
    Description: Link:
    Qualys Reference:
    Description: Link:
    CVE-2016-3115
    OpenSSH 7.2p1 - Authenticated xauth Command Injection - The Exploit-DB Ref : 39569 http://www.exploit-db.com/exploits/39569
    CVE-2016-3115
    OpenSSH https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115

    1 Reply Last reply Reply Quote 0
    • D
      doktornotor Banned
      last edited by Sep 19, 2017, 12:08 PM

      @slifdrop:

      Please note that Systems with X11Forwarding enabled are affected.

      
      $ grep X11Forwarding /etc/ssh/sshd_config
      X11Forwarding no
      
      
      1 Reply Last reply Reply Quote 0
      • J
        jimp Rebel Alliance Developer Netgate
        last edited by Sep 19, 2017, 12:13 PM

        Your scanner is faulty, it is claiming vulnerabilities based solely on the version number.

        FreeBSD does not alter the version number when patching. Searching on that CVE ID combined with FreeBSD would show you it was patched a long time ago:

        https://www.freebsd.org/security/advisories/FreeBSD-SA-16:14.openssh.asc

        Comparing the FreeBSD version patch level on the SA with that on pfSense shows that the FreeBSD base of current versions is well after the correction date/version.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        1 out of 3
        • First post
          1/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received