Dropbear SSH Server < 2016.72 xauth Command Injection
Medium Nessus Plugin ID 90027
SynopsisThe remote SSH service is affected by a command injection vulnerability.
DescriptionAccording to its self-reported version in the banner, the version of Dropbear SSH running on the remote host is prior to 2016.72. It is, therefore, affected by a command injection vulnerability when X11 Forwarding is enabled, due to improper sanitization of X11 authentication credentials. An authenticated, remote attacker can exploit this to execute arbitrary xauth commands on the remote host.
Note that X11 Forwarding is not enabled by default.
SolutionUpgrade to Dropbear SSH version 2016.72 or later.