Openssh xauth command injection vulnerability
-
Hi,
I've scanned the pfsense system and found the vulnerability with Qualys scanner on the SSH port.
OpenSSH versions before 7.2p2 are vulnerable.When will a version of OpenSSH after 7.2p2 be made availabe?
Thanks,
MikeAffected Versions:
OpenSSH versions prior to 7.2p2Qualys . QID:38623
CVE ID: CVE-2016-3115
Bugtraq ID: 84314
CVSS Base: 5.4
CVSS Temporal: 4.3
<quote>The sshd server fails to validate user-supplied X11 authentication credentials when establishing an X11 forwarding session. An authenticated user may inject arbitrary xauth commands by sending an x11 channel request that includes a newline character in the x11 cookie.
Please note that Systems with X11Forwarding enabled are affected.
IMPACT:
An authenticated, remote attacker can exploit this vulnerability to execute arbitrary commands on the targeted system.
SOLUTION:
Users are advised to upgrade to the latest version of the software available. Refer to OpenSSH 7.2p2 Release Notes (http://www.openssh.com/txt/ release-7.2p2) for further information.</quote>EXPLOITABILITY: The Exploit-DB Reference:
Description: Link:
Qualys Reference:
Description: Link:
CVE-2016-3115
OpenSSH 7.2p1 - Authenticated xauth Command Injection - The Exploit-DB Ref : 39569 http://www.exploit-db.com/exploits/39569
CVE-2016-3115
OpenSSH https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115 -
Please note that Systems with X11Forwarding enabled are affected.
$ grep X11Forwarding /etc/ssh/sshd_config X11Forwarding no
-
Your scanner is faulty, it is claiming vulnerabilities based solely on the version number.
FreeBSD does not alter the version number when patching. Searching on that CVE ID combined with FreeBSD would show you it was patched a long time ago:
https://www.freebsd.org/security/advisories/FreeBSD-SA-16:14.openssh.asc
Comparing the FreeBSD version patch level on the SA with that on pfSense shows that the FreeBSD base of current versions is well after the correction date/version.