[arch-security] [ASA-201603-12] openssh: command injection

Levente Polyak anthraxx at archlinux.org
Fri Mar 11 22:25:42 UTC 2016 

Arch Linux Security Advisory ASA-201603-12
==========================================

Severity: Medium
Date    : 2016-03-11
CVE-ID  : CVE-2016-3115
Package : openssh
Type    : command injection
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package openssh before version 7.2p2-1 is vulnerable to command
injection leading to information disclosure, directory traversal and
possibly other impact.

Resolution
==========

Upgrade to 7.2p2-1.

# pacman -Syu "openssh>=7.2p2-1"

The problem has been fixed upstream in version 7.2p2.

Workaround
==========

Set X11Forwarding=no in sshd_config. This is the default.
For authorized_keys that specify a "command" restriction, also set the
"restrict" or "no-x11-forwarding" restrictions.

Description
===========

Missing sanitisation of untrusted input allows an authenticated user who
is able to request X11 forwarding to inject commands to xauth.

Injection of xauth commands grants the ability to read arbitrary files
under the authenticated user's privilege. Other xauth commands allow
limited information leakage, file overwrite, port probing and generally
expose xauth, which was not written with a hostile user in mind, as an
attack surface.

xauth is run under the user's privilege, so this vulnerability offers no
additional access to unrestricted accounts, but could circumvent key or
account restrictions such as sshd_config ForceCommand, authorized_keys
command="..." or restricted shells.

Impact
======

A remote authenticated user who is able to request X11 forwarding can
inject commands to xauth leading to information disclosure, directory
traversal and possibly other impact.

References
==========

http://www.openssh.com/txt/x11fwd.adv
https://access.redhat.com/security/cve/CVE-2016-3115

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160311/5e4d8f34/attachment.asc>

More information about the arch-security mailing list