Dropbear SSH Server < 2016.72 xauth Command Injection

Medium Nessus Plugin ID 90027


The remote SSH service is affected by a command injection vulnerability.


According to its self-reported version in the banner, the version of Dropbear SSH running on the remote host is prior to 2016.72. It is, therefore, affected by a command injection vulnerability when X11 Forwarding is enabled, due to improper sanitization of X11 authentication credentials. An authenticated, remote attacker can exploit this to execute arbitrary xauth commands on the remote host.

Note that X11 Forwarding is not enabled by default.


Upgrade to Dropbear SSH version 2016.72 or later.

See Also




Plugin Details

Severity: Medium

ID: 90027

File Name: dropbear_ssh_72.nasl

Version: $Revision: 1.3 $

Type: remote

Family: Misc.

Published: 2016/03/18

Modified: 2016/09/01

Dependencies: 10267

Risk Information

Risk Factor: Medium


Base Score: 6

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND

Vulnerability Information

CPE: cpe:/a:matt_johnston:dropbear_ssh_server

Required KB Items: Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/03/09

Vulnerability Publication Date: 2016/03/09

Reference Information

CVE: CVE-2016-3116

OSVDB: 135770