Dropbear SSH Server < 2016.72 xauth Command Injection

medium Nessus Plugin ID 90027

Synopsis

The remote SSH service is affected by a command injection vulnerability.

Description

According to its self-reported version in the banner, the version of Dropbear SSH running on the remote host is prior to 2016.72. It is, therefore, affected by a command injection vulnerability when X11 Forwarding is enabled, due to improper sanitization of X11 authentication credentials. An authenticated, remote attacker can exploit this to execute arbitrary xauth commands on the remote host.

Note that X11 Forwarding is not enabled by default.

Solution

Upgrade to Dropbear SSH version 2016.72 or later.

See Also

https://matt.ucc.asn.au/dropbear/CHANGES

https://seclists.org/fulldisclosure/2016/Mar/47

http://www.nessus.org/u?c1e20657

Plugin Details

Severity: Medium

ID: 90027

File Name: dropbear_ssh_72.nasl

Version: 1.7

Type: remote

Family: Misc.

Published: 3/18/2016

Updated: 11/20/2019

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2016-3116

CVSS v3

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:matt_johnston:dropbear_ssh_server

Required KB Items: Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/9/2016

Vulnerability Publication Date: 3/9/2016

Reference Information

CVE: CVE-2016-3116