CVE-2016-3115

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.

References

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.281&r2=1.282&f=h

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183101.html

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183122.html

http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178838.html

http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179924.html

http://lists.fedoraproject.org/pipermail/package-announce/2016-March/180491.html

http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184264.html

http://packetstormsecurity.com/files/136234/OpenSSH-7.2p1-xauth-Command-Injection-Bypass.html

http://rhn.redhat.com/errata/RHSA-2016-0465.html

http://rhn.redhat.com/errata/RHSA-2016-0466.html

http://seclists.org/fulldisclosure/2016/Mar/46

http://seclists.org/fulldisclosure/2016/Mar/47

http://www.openssh.com/txt/x11fwd.adv

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

http://www.securityfocus.com/bid/84314

http://www.securitytracker.com/id/1035249

https://bto.bluecoat.com/security-advisory/sa121

https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115

https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html

https://security.gentoo.org/glsa/201612-18

https://www.exploit-db.com/exploits/39569/

https://www.freebsd.org/security/advisories/FreeBSD-SA-16:14.openssh.asc

Details

Source: MITRE

Published: 2016-03-22

Updated: 2018-09-11

Risk Information

CVSS v2

Base Score: 5.5

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 8

Severity: MEDIUM

CVSS v3

Base Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 3.1

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:openbsd:openssh:*:p1:*:*:*:*:*:* versions up to 7.2 (inclusive)

Configuration 2

OR

cpe:2.3:o:oracle:vm_server:3.2:*:*:*:*:*:*:*

Tenable Plugins

View all (32 total)

IDNameProductFamilySeverity
101859F5 Networks BIG-IP : SSHD session.c vulnerability (K93532943)NessusF5 Networks Local Security Checks
medium
99771EulerOS 2.0 SP1 : openssh (EulerOS-SA-2016-1008)NessusHuawei Local Security Checks
critical
95604GLSA-201612-18 : OpenSSH: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
93735SUSE SLES11 Security Update : openssh (SUSE-SU-2016:2388-1)NessusSuSE Local Security Checks
critical
91750OracleVM 3.2 : openssh (OVMSA-2016-0070)NessusOracleVM Local Security Checks
medium
91655SUSE SLES11 Security Update : openssh (SUSE-SU-2016:1528-1)NessusSuSE Local Security Checks
critical
91413openSUSE Security Update : openssh (openSUSE-2016-668)NessusSuSE Local Security Checks
critical
91318SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2016:1386-1)NessusSuSE Local Security Checks
critical
91153OracleVM 3.3 / 3.4 : openssh (OVMSA-2016-0048)NessusOracleVM Local Security Checks
medium
91086Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : openssh vulnerabilities (USN-2966-1)NessusUbuntu Local Security Checks
critical
90947Fedora 24 : gsi-openssh-7.2p2-2.fc24 (2016-08e5803496)NessusFedora Local Security Checks
medium
90942AIX OpenSSH Advisory : openssh_advisory8.ascNessusAIX Local Security Checks
medium
90740Fedora 22 : gsi-openssh-6.9p1-8.fc22 (2016-fc1cc33e05)NessusFedora Local Security Checks
medium
90726Fedora 23 : gsi-openssh-7.2p2-1.fc23 (2016-188267b485)NessusFedora Local Security Checks
medium
9312OpenSSH < 7.2p2 X11Forwarding xauth Command InjectionNessus Network MonitorSSH
medium
90342Oracle Linux 5 : openssh (ELSA-2016-3531)NessusOracle Linux Local Security Checks
medium
90285Fedora 22 : openssh-6.9p1-11.fc22 (2016-d339d610c1)NessusFedora Local Security Checks
medium
90209Fedora 24 : openssh-7.2p2-1.fc24 (2016-0bcab055a7)NessusFedora Local Security Checks
medium
90081Scientific Linux Security Update : openssh on SL7.x x86_64 (20160321)NessusScientific Linux Local Security Checks
critical
90080Scientific Linux Security Update : openssh on SL6.x i386/x86_64 (20160321)NessusScientific Linux Local Security Checks
medium
90079RHEL 6 : openssh (RHSA-2016:0466)NessusRed Hat Local Security Checks
medium
90078RHEL 7 : openssh (RHSA-2016:0465)NessusRed Hat Local Security Checks
critical
90076OracleVM 3.3 / 3.4 : openssh (OVMSA-2016-0038)NessusOracleVM Local Security Checks
medium
90075Oracle Linux 6 : openssh (ELSA-2016-0466)NessusOracle Linux Local Security Checks
medium
90074Oracle Linux 7 : openssh (ELSA-2016-0465)NessusOracle Linux Local Security Checks
critical
90069CentOS 6 : openssh (CESA-2016:0466)NessusCentOS Local Security Checks
medium
90068CentOS 7 : openssh (CESA-2016:0465)NessusCentOS Local Security Checks
critical
90023OpenSSH < 7.2p2 X11Forwarding xauth Command InjectionNessusMisc.
medium
89965Amazon Linux AMI : openssh (ALAS-2016-668)NessusAmazon Linux Local Security Checks
medium
89897FreeBSD : openssh -- command injection when X11Forwarding is enabled (e4644df8-e7da-11e5-829d-c80aa9043978)NessusFreeBSD Local Security Checks
medium
89887Fedora 23 : openssh-7.2p2-1.fc23 (2016-bb59db3c86)NessusFedora Local Security Checks
medium
89836Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openssh (SSA:2016-070-01)NessusSlackware Local Security Checks
medium