FreeBSD : openssh -- command injection when X11Forwarding is enabled (e4644df8-e7da-11e5-829d-c80aa9043978)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

The OpenSSH project reports :

Missing sanitisation of untrusted input allows an authenticated user
who is able to request X11 forwarding to inject commands to xauth(1).

Injection of xauth commands grants the ability to read arbitrary files
under the authenticated user's privilege, Other xauth commands allow
limited information leakage, file overwrite, port probing and
generally expose xauth(1), which was not written with a hostile user
in mind, as an attack surface.

Mitigation :

Set X11Forwarding=no in sshd_config. This is the default.

For authorized_keys that specify a 'command' restriction, also set the
'restrict' (available in OpenSSH >=7.2) or 'no-x11-forwarding'
restrictions.

See also :

http://www.openssh.com/txt/x11fwd.adv
http://www.nessus.org/u?9d9c23ca

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 5.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 89897 ()

Bugtraq ID:

CVE ID: CVE-2016-3115

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now