Bug 970632 (CVE-2016-3115) - VUL-0: CVE-2016-3115: openssh: Missing sanitisation of untrusted input allows anauthenticated user who is able to request X11 forw...
Summary: VUL-0: CVE-2016-3115: openssh: Missing sanitisation of untrusted input allows...
Status: RESOLVED FIXED
Alias: CVE-2016-3115
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2017-01-18
Assignee: Petr Cerny
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/163054/
Whiteboard: CVSSv2:SUSE:CVE-2016-3115:4.9:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-11 08:15 UTC by Victor Pereira
Modified: 2020-06-15 13:26 UTC (History)
11 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2016-03-11 08:15:34 UTC 
CVE-2016-3115

OpenSSH Security Advisory: x11fwd.adv

This document may be found at: http://www.openssh.com/txt/x11fwd.adv

1. Affected configurations

        All versions of OpenSSH prior to 7.2p2 with X11Forwarding
	enabled.

2. Vulnerability

	Missing sanitisation of untrusted input allows an
	authenticated user who is able to request X11 forwarding
	to inject commands to xauth(1).

	Injection of xauth commands grants the ability to read
	arbitrary files under the authenticated user's privilege,
	Other xauth commands allow limited information leakage,
	file overwrite, port probing and generally expose xauth(1),
	which was not written with a hostile user in mind, as an
	attack surface.

	xauth(1) is run under the user's privilege, so this
	vulnerability offers no additional access to unrestricted
	accounts, but could circumvent key or account restrictions
	such as sshd_config ForceCommand, authorized_keys
	command="..." or restricted shells.

3. Mitigation

        Set X11Forwarding=no in sshd_config. This is the default.

	For authorized_keys that specify a "command" restriction,
	also set the "restrict" (available in OpenSSH >=7.2) or
	"no-x11-forwarding" restrictions.

4. Details

        As part of establishing an X11 forwarding session, sshd(8)
	accepts an X11 authentication credential from the client.
	This credential is supplied to the xauth(1) utility to
	establish it for X11 applications that the user subsequently
	runs.

	The contents of the credential's components (authentication
	scheme and credential data) were not sanitised to exclude
	meta-characters such as newlines. An attacker could
	therefore supply a credential that injected commands to
	xauth(1). The attacker could then use a number of xauth
	commands to read or overwrite arbitrary files subject to
	file permissions, connect to local ports or perform attacks
	on xauth(1) itself.

	OpenSSH 7.2p2 implements a whitelist of characters that
	are permitted to appear in X11 authentication credentials.

5. Credit

        This issue was identified by github.com/tintinweb and
	communicated to the OpenSSH developers on March 3rd, 2016.

6. Fix

        Portable OpenSSH 7.2p2 contains a fix for this vulnerability.

	Patches for supported OpenBSD releases (5.7, 5.8 and 5.9) have
	been committed to the -STABLE branches and are available on the
	errata pages:

	http://www.openbsd.org/errata57.html
	http://www.openbsd.org/errata58.html
	http://www.openbsd.org/errata59.html

References:
http://www.openssh.com/txt/x11fwd.adv
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3115
http://seclists.org/oss-sec/2016/q1/593
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3115.html
Comment 1 Swamp Workflow Management 2016-03-11 23:00:13 UTC 
bugbot adjusting priority
Comment 13 Swamp Workflow Management 2016-05-23 18:09:53 UTC 
SUSE-SU-2016:1386-1: An update that solves three vulnerabilities and has 9 fixes is now available.

Category: security (moderate)
Bug References: 729190,932483,945484,945493,947458,948902,960414,961368,962313,965576,970632,975865
CVE References: CVE-2015-8325,CVE-2016-1908,CVE-2016-3115
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    openssh-6.6p1-42.1, openssh-askpass-gnome-6.6p1-42.1
SUSE Linux Enterprise Server 12 (src):    openssh-6.6p1-42.1, openssh-askpass-gnome-6.6p1-42.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    openssh-6.6p1-42.1, openssh-askpass-gnome-6.6p1-42.1
SUSE Linux Enterprise Desktop 12 (src):    openssh-6.6p1-42.1, openssh-askpass-gnome-6.6p1-42.1
Comment 14 Bernhard Wiedemann 2016-05-27 10:02:19 UTC 
This is an autogenerated message for OBS integration:
This bug (970632) was mentioned in
https://build.opensuse.org/request/show/398334 13.2 / openssh
Comment 16 Swamp Workflow Management 2016-05-31 17:11:17 UTC 
openSUSE-SU-2016:1455-1: An update that solves three vulnerabilities and has 9 fixes is now available.

Category: security (moderate)
Bug References: 729190,932483,945484,945493,947458,948902,960414,961368,962313,965576,970632,975865
CVE References: CVE-2015-8325,CVE-2016-1908,CVE-2016-3115
Sources used:
openSUSE Leap 42.1 (src):    openssh-6.6p1-11.1, openssh-askpass-gnome-6.6p1-11.1
Comment 17 will king 2016-06-06 03:56:35 UTC 
SR:101008631720
CR:101008631799 

Customer need patches of openssh for CVE-2016-3115 on sles 11 sp1 x86 and x86_64, please help to provide it. 

Thanks.
Wei Wang
Comment 19 Swamp Workflow Management 2016-06-08 14:10:32 UTC 
SUSE-SU-2016:1528-1: An update that solves three vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 729190,932483,948902,960414,961368,961494,962313,965576,970632,975865
CVE References: CVE-2015-8325,CVE-2016-1908,CVE-2016-3115
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    openssh-6.6p1-21.1, openssh-askpass-gnome-6.6p1-21.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openssh-6.6p1-21.1, openssh-askpass-gnome-6.6p1-21.3
Comment 24 Swamp Workflow Management 2016-07-18 12:30:34 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-08-01.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62899
Comment 31 Swamp Workflow Management 2016-09-26 19:10:45 UTC 
SUSE-SU-2016:2388-1: An update that solves 5 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 932483,948902,959096,962313,962794,970632,975865,981654,989363,992533
CVE References: CVE-2015-8325,CVE-2016-1908,CVE-2016-3115,CVE-2016-6210,CVE-2016-6515
Sources used:
SUSE OpenStack Cloud 5 (src):    openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5
SUSE Manager Proxy 2.1 (src):    openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5
SUSE Manager 2.1 (src):    openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5
Comment 36 Swamp Workflow Management 2016-10-17 18:10:55 UTC 
SUSE-SU-2016:2555-1: An update that solves 5 vulnerabilities and has 8 fixes is now available.

Category: security (moderate)
Bug References: 729190,932483,948902,960414,961368,961494,962313,965576,970632,975865,981654,989363,992533
CVE References: CVE-2015-8325,CVE-2016-1908,CVE-2016-3115,CVE-2016-6210,CVE-2016-6515
Sources used:
SUSE Linux Enterprise Server 11-SECURITY (src):    openssh-openssl1-6.6p1-15.1
Comment 40 Marcus Meissner 2017-06-26 06:33:14 UTC 
all released