FreeBSD : openssh -- command injection when X11Forwarding is enabled (e4644df8-e7da-11e5-829d-c80aa9043978)

Medium Nessus Plugin ID 89897


The remote FreeBSD host is missing a security-related update.


The OpenSSH project reports :

Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1).

Injection of xauth commands grants the ability to read arbitrary files under the authenticated user's privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth(1), which was not written with a hostile user in mind, as an attack surface.

Mitigation :

Set X11Forwarding=no in sshd_config. This is the default.

For authorized_keys that specify a 'command' restriction, also set the 'restrict' (available in OpenSSH >=7.2) or 'no-x11-forwarding' restrictions.


Update the affected package.

See Also

Plugin Details

Severity: Medium

ID: 89897

File Name: freebsd_pkg_e4644df8e7da11e5829dc80aa9043978.nasl

Version: $Revision: 2.5 $

Type: local

Published: 2016/03/14

Modified: 2016/10/19

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N


Base Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:openssh-portable, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2016/03/11

Vulnerability Publication Date: 2016/03/11

Reference Information

CVE: CVE-2016-3115

FreeBSD: SA-16:14.openssh