Arch Linux Security Advisory ASA-201603-12 ========================================== Severity: Medium Date : 2016-03-11 CVE-ID : CVE-2016-3115 Package : openssh Type : command injection Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package openssh before version 7.2p2-1 is vulnerable to command injection leading to information disclosure, directory traversal and possibly other impact. Resolution ========== Upgrade to 7.2p2-1. # pacman -Syu "openssh>=7.2p2-1" The problem has been fixed upstream in version 7.2p2. Workaround ========== Set X11Forwarding=no in sshd_config. This is the default. For authorized_keys that specify a "command" restriction, also set the "restrict" or "no-x11-forwarding" restrictions. Description =========== Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth. Injection of xauth commands grants the ability to read arbitrary files under the authenticated user's privilege. Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth, which was not written with a hostile user in mind, as an attack surface. xauth is run under the user's privilege, so this vulnerability offers no additional access to unrestricted accounts, but could circumvent key or account restrictions such as sshd_config ForceCommand, authorized_keys command="..." or restricted shells. Impact ====== A remote authenticated user who is able to request X11 forwarding can inject commands to xauth leading to information disclosure, directory traversal and possibly other impact. References ========== http://www.openssh.com/txt/x11fwd.adv https://access.redhat.com/security/cve/CVE-2016-3115