Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openssh xauth command injection vulnerability

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    3 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      slifdrop
      last edited by

      Hi,
      I've scanned the pfsense system and found the vulnerability with Qualys scanner on the SSH port.
      OpenSSH versions before 7.2p2 are vulnerable.

      When will a version of OpenSSH after 7.2p2 be made availabe?

      Thanks,
      Mike

      Affected Versions:
      OpenSSH versions prior to 7.2p2

      Qualys . QID:38623
      CVE ID:  CVE-2016-3115
      Bugtraq ID: 84314
      CVSS Base: 5.4
      CVSS Temporal: 4.3
      <quote>The sshd server fails to validate user-supplied X11 authentication credentials when establishing an X11 forwarding session. An authenticated user may inject arbitrary xauth commands by sending an x11 channel request that includes a newline character in the x11 cookie.
      Please note that Systems with X11Forwarding enabled are affected.
      IMPACT:
      An authenticated, remote attacker can exploit this vulnerability to execute arbitrary commands on the targeted system.
      SOLUTION:
      Users are advised to upgrade to the latest version of the software available. Refer to OpenSSH 7.2p2 Release Notes (http://www.openssh.com/txt/ release-7.2p2) for further information.</quote>

      EXPLOITABILITY: The Exploit-DB Reference:
      Description: Link:
      Qualys Reference:
      Description: Link:
      CVE-2016-3115
      OpenSSH 7.2p1 - Authenticated xauth Command Injection - The Exploit-DB Ref : 39569 http://www.exploit-db.com/exploits/39569
      CVE-2016-3115
      OpenSSH https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        @slifdrop:

        Please note that Systems with X11Forwarding enabled are affected.

        
$ grep X11Forwarding /etc/ssh/sshd_config
X11Forwarding no
        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Your scanner is faulty, it is claiming vulnerabilities based solely on the version number.

          FreeBSD does not alter the version number when patching. Searching on that CVE ID combined with FreeBSD would show you it was patched a long time ago:

          https://www.freebsd.org/security/advisories/FreeBSD-SA-16:14.openssh.asc

          Comparing the FreeBSD version patch level on the SA with that on pfSense shows that the FreeBSD base of current versions is well after the correction date/version.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.