FreeBSD : openssh -- command injection when X11Forwarding is enabled (e4644df8-e7da-11e5-829d-c80aa9043978)
Medium Nessus Plugin ID 89897
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionThe OpenSSH project reports :
Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1).
Injection of xauth commands grants the ability to read arbitrary files under the authenticated user's privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth(1), which was not written with a hostile user in mind, as an attack surface.
Set X11Forwarding=no in sshd_config. This is the default.
For authorized_keys that specify a 'command' restriction, also set the 'restrict' (available in OpenSSH >=7.2) or 'no-x11-forwarding' restrictions.
SolutionUpdate the affected package.