Openssh xauth command injection vulnerability



  • Hi,
    I've scanned the pfsense system and found the vulnerability with Qualys scanner on the SSH port.
    OpenSSH versions before 7.2p2 are vulnerable.

    When will a version of OpenSSH after 7.2p2 be made availabe?

    Thanks,
    Mike

    Affected Versions:
    OpenSSH versions prior to 7.2p2

    Qualys . QID:38623
    CVE ID:  CVE-2016-3115
    Bugtraq ID: 84314
    CVSS Base: 5.4
    CVSS Temporal: 4.3
    <quote>The sshd server fails to validate user-supplied X11 authentication credentials when establishing an X11 forwarding session. An authenticated user may inject arbitrary xauth commands by sending an x11 channel request that includes a newline character in the x11 cookie.
    Please note that Systems with X11Forwarding enabled are affected.
    IMPACT:
    An authenticated, remote attacker can exploit this vulnerability to execute arbitrary commands on the targeted system.
    SOLUTION:
    Users are advised to upgrade to the latest version of the software available. Refer to OpenSSH 7.2p2 Release Notes (http://www.openssh.com/txt/ release-7.2p2) for further information.</quote>

    EXPLOITABILITY: The Exploit-DB Reference:
    Description: Link:
    Qualys Reference:
    Description: Link:
    CVE-2016-3115
    OpenSSH 7.2p1 - Authenticated xauth Command Injection - The Exploit-DB Ref : 39569 http://www.exploit-db.com/exploits/39569
    CVE-2016-3115
    OpenSSH https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115


  • Banned

    @slifdrop:

    Please note that Systems with X11Forwarding enabled are affected.

    
    $ grep X11Forwarding /etc/ssh/sshd_config
    X11Forwarding no
    
    

  • Rebel Alliance Developer Netgate

    Your scanner is faulty, it is claiming vulnerabilities based solely on the version number.

    FreeBSD does not alter the version number when patching. Searching on that CVE ID combined with FreeBSD would show you it was patched a long time ago:

    https://www.freebsd.org/security/advisories/FreeBSD-SA-16:14.openssh.asc

    Comparing the FreeBSD version patch level on the SA with that on pfSense shows that the FreeBSD base of current versions is well after the correction date/version.