SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   OpenSSH Vendors:   OpenSSH.org
(CentOS Issues Fix) OpenSSH X11 Authentication Credentials Input Validation Flaw Lets Remote Authenticated Users Inject xauth Commands on the Target System
SecurityTracker Alert ID:  1035347
SecurityTracker URL:  http://securitytracker.com/id/1035347
CVE Reference:   CVE-2016-3115   (Links to External Site)
Date:  Mar 22 2016
Impact:   Disclosure of user information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 7.2p2
Description:   A vulnerability was reported in OpenSSH. A remote authenticated user can inject xauth commands.

The sshd server does not properly validate user-supplied X11 authentication credentials when establishing an X11 forwarding session before supplying the credentials to xauth. A remote authenticated user can send specially crafted X11 credential data to inject xauth commands. The commands will run with the user's own privileges but can be exploited to, for example, read or overwrite files, connect to local ports, or perform other attacks against xauth.

Systems with X11Forwarding enabled are affected.

github.com/tintinweb reported this vulnerability.

Impact:   A remote authenticated user can inject arbitrary xauth commands to, for example, read or overwrite files, connect to local ports, or perform other attacks against xauth.
Solution:   CentOS has issued a fix.

i386:
b21827af15406e5fb1e14d7ab71f160edd0fd8ec6d59ef49a0a561d5d4b8a419 openssh-5.3p1-114.el6_7.i686.rpm
2f8adbe69f2cded0bccb7286ee55bac1ae517f4a2a5bca19914e3f6b190f2a59 openssh-askpass-5.3p1-114.el6_7.i686.rpm
83429d1efd75f100d1f8b705d082813ffef80174809b06cd67ce192344f0816e openssh-clients-5.3p1-114.el6_7.i686.rpm
80749c749e2e2172ebfa1bdd85d150ed7a54a6c9a693f2aceb5024f6ee5f7f95 openssh-ldap-5.3p1-114.el6_7.i686.rpm
84f986e02d188722130d943aa279a576f5b90125c94bd41bf1669794cac34604 openssh-server-5.3p1-114.el6_7.i686.rpm
a800afcd8667f3fcae2424ad39e4b28875324b765a355a6894fa76a148d77e56 pam_ssh_agent_auth-0.9.3-114.el6_7.i686.rpm

x86_64:
077603015723d9c96bed95f4215ae642829f009b7bd4f8b5eb44c214a4cf9b23 openssh-5.3p1-114.el6_7.x86_64.rpm
af443f9daefbbb5fed105ed9a70bf59e765dca26589d7c0448e579ba8dd15e62 openssh-askpass-5.3p1-114.el6_7.x86_64.rpm
e9be7aece75e15e5cf41e509fb36e0b3e7eb3d2ca847fe100336c20fa78945f3 openssh-clients-5.3p1-114.el6_7.x86_64.rpm
77b33f82d02447a6ff11e2a790cf040d0766c7c36ca7290da7c62ed76a892765 openssh-ldap-5.3p1-114.el6_7.x86_64.rpm
9572a0632e4c9c7fd28a23f14843547629a05fff9586696e62c3617a2278818a openssh-server-5.3p1-114.el6_7.x86_64.rpm
a800afcd8667f3fcae2424ad39e4b28875324b765a355a6894fa76a148d77e56 pam_ssh_agent_auth-0.9.3-114.el6_7.i686.rpm
dae8b23912f2b7a76d9b53a1d133dbb18c467e46bf7a08b3e1941a3be4a998e3 pam_ssh_agent_auth-0.9.3-114.el6_7.x86_64.rpm

Source:
1d22a68fb98d5ee4f4cc473b11a2da154568d8a8b4939b568d3094493b4c231a openssh-5.3p1-114.el6_7.src.rpm

x86_64:
7de3cbf4ec75c073b1aaecf2fae539fe6b95742a7ffd4333f9a45dbb85191130 openssh-6.6.1p1-25.el7_2.x86_64.rpm
d1a6a87820d542d51a05017a6b6f14ebe35fce7aa3cb0d9efe2a0750d548a7ef openssh-askpass-6.6.1p1-25.el7_2.x86_64.rpm
9ccca04375b3466810c7bff2fd902436871468192249fefafba8db1324ca2e48 openssh-clients-6.6.1p1-25.el7_2.x86_64.rpm
03dbf819fecec3fd39f6971b35acf2d385654f87f7e477e068875cfa85678ca2 openssh-keycat-6.6.1p1-25.el7_2.x86_64.rpm
81df6fd13ab30aedc6ef397d476a49d5f272fb569addc8a3f67370a53d6dd1cd openssh-ldap-6.6.1p1-25.el7_2.x86_64.rpm
29384ae8c514bc7fba475901e73fd502bb61d74e4e70ce64b0006bdd4fd6fc02 openssh-server-6.6.1p1-25.el7_2.x86_64.rpm
8caca16e598dfee9a3559865501a948d7c81d22950038a6d2f89e9e9ba8b5b7a openssh-server-sysvinit-6.6.1p1-25.el7_2.x86_64.rpm
fce6a61ae3a6cc1eb857ddd53a8e27e82521b0a67e09ac6a1bc3e226de5e2dc9 pam_ssh_agent_auth-0.9.3-9.25.el7_2.i686.rpm
f9705216270f97985d10275390cb32fbad3325c23bcf03db52956c6bfb45179d pam_ssh_agent_auth-0.9.3-9.25.el7_2.x86_64.rpm

Source:
2274b5597edc75fe23e6b10b8a727105ca3412906338909331f3da5f87054ff6 openssh-6.6.1p1-25.el7_2.src.rpm

Cause:   Input validation error
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  6, 7

Message History:   This archive entry is a follow-up to the message listed below.
Mar 10 2016 OpenSSH X11 Authentication Credentials Input Validation Flaw Lets Remote Authenticated Users Inject xauth Commands on the Target System



 Source Message Contents

Subject:  [CentOS-announce] CESA-2016:0465 Moderate CentOS 7 openssh Security Update


CentOS Errata and Security Advisory 2016:0465 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-0465.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
7de3cbf4ec75c073b1aaecf2fae539fe6b95742a7ffd4333f9a45dbb85191130  openssh-6.6.1p1-25.el7_2.x86_64.rpm
d1a6a87820d542d51a05017a6b6f14ebe35fce7aa3cb0d9efe2a0750d548a7ef  openssh-askpass-6.6.1p1-25.el7_2.x86_64.rpm
9ccca04375b3466810c7bff2fd902436871468192249fefafba8db1324ca2e48  openssh-clients-6.6.1p1-25.el7_2.x86_64.rpm
03dbf819fecec3fd39f6971b35acf2d385654f87f7e477e068875cfa85678ca2  openssh-keycat-6.6.1p1-25.el7_2.x86_64.rpm
81df6fd13ab30aedc6ef397d476a49d5f272fb569addc8a3f67370a53d6dd1cd  openssh-ldap-6.6.1p1-25.el7_2.x86_64.rpm
29384ae8c514bc7fba475901e73fd502bb61d74e4e70ce64b0006bdd4fd6fc02  openssh-server-6.6.1p1-25.el7_2.x86_64.rpm
8caca16e598dfee9a3559865501a948d7c81d22950038a6d2f89e9e9ba8b5b7a  openssh-server-sysvinit-6.6.1p1-25.el7_2.x86_64.rpm
fce6a61ae3a6cc1eb857ddd53a8e27e82521b0a67e09ac6a1bc3e226de5e2dc9  pam_ssh_agent_auth-0.9.3-9.25.el7_2.i686.rpm
f9705216270f97985d10275390cb32fbad3325c23bcf03db52956c6bfb45179d  pam_ssh_agent_auth-0.9.3-9.25.el7_2.x86_64.rpm

Source:
2274b5597edc75fe23e6b10b8a727105ca3412906338909331f3da5f87054ff6  openssh-6.6.1p1-25.el7_2.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC