ID CVE-2016-3115
Summary Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.
References
Vulnerable Configurations
  • cpe:2.3:a:openbsd:openssh:7.2:p1
    cpe:2.3:a:openbsd:openssh:7.2:p1
  • cpe:2.3:o:oracle:vm_server:3.2
    cpe:2.3:o:oracle:vm_server:3.2
CVSS
Base: 5.5 (as of 09-09-2016 - 22:20)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
exploit-db via4
  • description OpenSSH 7.2p1 - xauth Injection. CVE-2016-3115. Remote exploits for multiple platform
    file exploits/multiple/remote/39569.py
    id EDB-ID:39569
    last seen 2016-03-17
    modified 2016-03-16
    platform multiple
    port 22
    published 2016-03-16
    reporter tintinweb
    source https://www.exploit-db.com/download/39569/
    title OpenSSH <= 7.2p1 - xauth Injection
    type remote
  • description BlackStratus LOGStorm 4.5.1.35/4.5.1.96 - Remote Root Exploit. Remote exploit for Hardware platform
    id EDB-ID:40858
    last seen 2016-12-04
    modified 2016-12-04
    published 2016-12-04
    reporter Exploit-DB
    source https://www.exploit-db.com/download/40858/
    title BlackStratus LOGStorm 4.5.1.35/4.5.1.96 - Remote Root Exploit
nessus via4
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL93532943.NASL
    description Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. (CVE-2016-3115)
    last seen 2017-10-29
    modified 2017-07-21
    plugin id 101859
    published 2017-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101859
    title F5 Networks BIG-IP : SSHD session.c vulnerability (K93532943)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-188267B485.NASL
    description Sync with openssh package. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-10-18
    plugin id 90726
    published 2016-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90726
    title Fedora 23 : gsi-openssh-7.2p2-1.fc23 (2016-188267b485)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201612-18.NASL
    description The remote host is affected by the vulnerability described in GLSA-201612-18 (OpenSSH: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details. Impact : Remote attackers could cause Denial of Service and conduct user enumeration. Workaround : There is no known workaround at this time.
    last seen 2017-10-29
    modified 2016-12-12
    plugin id 95604
    published 2016-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95604
    title GLSA-201612-18 : OpenSSH: Multiple vulnerabilities
  • NASL family Misc.
    NASL id OPENSSH_72P2.NASL
    description According to its banner, the version of OpenSSH running on the remote host is prior to 7.2p2. It is, therefore, affected by a security bypass vulnerability due to improper sanitization of X11 authentication credentials. An authenticated, remote attacker can exploit this, via crafted credentials, to inject arbitrary xauth commands, resulting in gaining read and write access to arbitrary files, connecting to local ports, or performing further attacks on xauth itself. Note that exploiting this vulnerability requires X11Forwarding to have been enabled.
    last seen 2017-10-29
    modified 2016-09-01
    plugin id 90023
    published 2016-03-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90023
    title OpenSSH < 7.2p2 X11Forwarding xauth Command Injection
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0038.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices (#1245969) - CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317816) - SSH2_MSG_DISCONNECT for user initiated disconnect follow RFC 4253 (#1222500) - Add missing dot in ssh manual page (#1197763) - Fix minor problems found by covscan/gcc (#1196063) - Add missing options in man ssh (#1197763) - Add KbdInteractiveAuthentication documentation to man sshd_config (#1109251) - Correct freeing newkeys structure when privileged monitor exits (#1208584) - Fix problems with failing persistent connections (#1131585) - Fix memory leaks in auditing patch (#1208584) - Better approach to logging sftp commands in chroot - Make sshd -T write all config options and add missing Cipher, MAC to man (#1109251) - Add missing ControlPersist option to man ssh (#1197763) - Add sftp option to force mode of created files (#1191055) - Do not load RSA1 keys in FIPS mode (#1197072) - Add missing support for ECDSA in ssh-keyscan (#1196331) - Fix coverity/gcc issues (#1196063) - Backport wildcard functionality for PermitOpen in sshd_config file (#1159055) - Ability to specify an arbitrary LDAP filter in ldap.conf (#1119506) - Fix ControlPersist option with ProxyCommand (#1160487) - Backport fix of ssh-keygen with error : gethostname: File name too long (#1161454) - Backport show remote address instead of UNKNOWN after timeout at password prompt (#1161449) - Fix printing of extensions in v01 certificates (#1093869) - Fix confusing audit trail for unsuccessful logins (#1127312) - Don't close fds for internal sftp sessions (#1085710) - Fix config parsing quotes (backport) (#1134938) - Enable logging in chroot into separate file (#1172224) - Fix auditing when using combination of ForcedCommand and PTY (#1131585) - Fix ssh-copy-id on non-sh remote shells (#1135521) - ignore SIGXFSZ in postauth monitor child (#1133906) - don't try to generate DSA keys in the init script in FIPS mode (#1118735) - ignore SIGPIPE in ssh-keyscan (#1108836) - ssh-add: fix fatal exit when removing card (#1042519) - fix race in backported ControlPersist patch (#953088) - skip requesting smartcard PIN when removing keys from agent (#1042519) - add possibility to autocreate only RSA key into initscript (#1111568) - fix several issues reported by coverity - x11 forwarding - be less restrictive when can't bind to one of available addresses (#1027197) - better fork error detection in audit patch (#1028643) - fix openssh-5.3p1-x11.patch for non-linux platforms (#1100913) - prevent a server from skipping SSHFP lookup (#1081338) (CVE-2014-2653) - ignore environment variables with embedded '=' or '\0' characters (CVE-2014-2532) - backport ControlPersist option (#953088) - log when a client requests an interactive session and only sftp is allowed (#997377) - don't try to load RSA1 host key in FIPS mode (#1009959) - restore Linux oom_adj setting when handling SIGHUP to maintain behaviour over restart (#1010429) - ssh-keygen -V - relative-specified certificate expiry time should be relative to current time (#1022459) - adjust the key echange DH groups and ssh-keygen according to SP800-131A (#993580) - log failed integrity test if /etc/system-fips exists (#1020803) - backport ECDSA and ECDH support (#1028335) - use dracut-fips package to determine if a FIPS module is installed (#1001565) - use dist tag in suffixes for hmac checksum files (#1001565) - use hmac_suffix for ssh[,d] hmac checksums (#1001565) - fix NSS keys support (#1004763) - change default value of MaxStartups - CVE-2010-5107 - #908707 - add -fips subpackages that contains the FIPS module files (#1001565) - don't use SSH_FP_MD5 for fingerprints in FIPS mode (#998835) - do ssh_gssapi_krb5_storecreds twice - before and after pam sesssion (#974096) - bump the minimum value of SSH_USE_STRONG_RNG to 14 according to SP800-131A (#993577) - fixed an issue with broken 'ssh -I pkcs11' (#908038) - abort non-subsystem sessions to forced internal sftp-server (#993509) - reverted 'store krb5 credentials after a pam session is created (#974096)' - Add support for certificate key types for users and hosts (#906872) - Apply RFC3454 stringprep to banners when possible (#955792) - fix chroot logging issue (#872169) - change the bad key permissions error message (#880575) - fix a race condition in ssh-agent (#896561) - backport support for PKCS11 from openssh-5.4p1 (#908038) - add a KexAlgorithms knob to the client and server configuration (#951704) - fix parsing logic of ldap.conf file (#954094) - Add HMAC-SHA2 algorithm support (#969565) - store krb5 credentials after a pam session is created (#974096)
    last seen 2017-10-29
    modified 2017-02-14
    plugin id 90076
    published 2016-03-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90076
    title OracleVM 3.3 / 3.4 : openssh (OVMSA-2016-0038)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-FC1CC33E05.NASL
    description Sync with openssh package. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-10-18
    plugin id 90740
    published 2016-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90740
    title Fedora 22 : gsi-openssh-6.9p1-8.fc22 (2016-fc1cc33e05)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1008.NASL
    description According to the versions of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) - An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-05-04
    plugin id 99771
    published 2017-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99771
    title EulerOS 2.0 SP1 : openssh (EulerOS-SA-2016-1008)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0466.NASL
    description Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.
    last seen 2017-10-29
    modified 2017-01-10
    plugin id 90079
    published 2016-03-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90079
    title RHEL 6 : openssh (RHSA-2016:0466)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-0465.NASL
    description Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.
    last seen 2017-10-29
    modified 2017-08-14
    plugin id 90068
    published 2016-03-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90068
    title CentOS 7 : openssh (CESA-2016:0465)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-0466.NASL
    description From Red Hat Security Advisory 2016:0466 : Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.
    last seen 2017-10-29
    modified 2016-12-07
    plugin id 90075
    published 2016-03-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90075
    title Oracle Linux 6 : openssh (ELSA-2016-0466)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-0465.NASL
    description From Red Hat Security Advisory 2016:0465 : Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.
    last seen 2017-10-29
    modified 2017-08-15
    plugin id 90074
    published 2016-03-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90074
    title Oracle Linux 7 : openssh (ELSA-2016-0465)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3531.NASL
    description Description of changes: [4.3p2-82.0.2] - CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices (John Haxby) [orabug 22985024] - CVE-2016-3115: missing sanitisation of input for X11 forwarding (John Haxby) [orabug 22985024]
    last seen 2017-10-29
    modified 2016-10-19
    plugin id 90342
    published 2016-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90342
    title Oracle Linux 5 : openssh (ELSA-2016-3531)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-070-01.NASL
    description New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
    last seen 2017-10-29
    modified 2016-10-19
    plugin id 89836
    published 2016-03-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89836
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openssh (SSA:2016-070-01)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-668.NASL
    description It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions.
    last seen 2017-10-29
    modified 2016-10-07
    plugin id 89965
    published 2016-03-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89965
    title Amazon Linux AMI : openssh (ALAS-2016-668)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1386-1.NASL
    description This update for OpenSSH fixes three security issues. These security issues were fixed : - CVE-2016-3115: Sanitise input for xauth(1) (bsc#970632) - CVE-2016-1908: Prevent X11 SECURITY circumvention when forwarding X11 connections (bsc#962313) - CVE-2015-8325: Ignore PAM environment when using login (bsc#975865) These non-security issues were fixed : - Fix help output of sftp (bsc#945493) - Restarting openssh with openssh-fips installed was not working correctly (bsc#945484) - Fix crashes when /proc is not available in the chroot (bsc#947458) - Correctly parse GSSAPI KEX algorithms (bsc#961368) - More verbose FIPS mode/CC related documentation in README.FIPS (bsc#965576, bsc#960414) - Fix PRNG re-seeding (bsc#960414, bsc#729190) - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-08-16
    plugin id 91318
    published 2016-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91318
    title SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2016:1386-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-0466.NASL
    description Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.
    last seen 2017-10-29
    modified 2016-11-17
    plugin id 90069
    published 2016-03-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90069
    title CentOS 6 : openssh (CESA-2016:0466)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-D339D610C1.NASL
    description This update provides recent upstrem fix published with openssh-7.2p2 (#1316529). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-10-18
    plugin id 90285
    published 2016-04-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90285
    title Fedora 22 : openssh-6.9p1-11.fc22 (2016-d339d610c1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0070.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices (John Haxby) [orabug 22985024] - CVE-2016-3115: missing sanitisation of input for X11 forwarding (John Haxby) [orabug 22985024]
    last seen 2017-10-29
    modified 2017-02-14
    plugin id 91750
    published 2016-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91750
    title OracleVM 3.2 : openssh (OVMSA-2016-0070)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-08E5803496.NASL
    description Sync with openssh package. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-10-18
    plugin id 90947
    published 2016-05-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90947
    title Fedora 24 : gsi-openssh-7.2p2-2.fc24 (2016-08e5803496)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2388-1.NASL
    description This update for OpenSSH fixes the following issues : - Prevent user enumeration through the timing of password processing. (bsc#989363, CVE-2016-6210) - Allow lowering the DH groups parameter limit in server as well as when GSSAPI key exchange is used. (bsc#948902) - Sanitize input for xauth(1). (bsc#970632, CVE-2016-3115) - Prevent X11 SECURITY circumvention when forwarding X11 connections. (bsc#962313, CVE-2016-1908) - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option. (bsc#932483, bsc#948902) - Ignore PAM environment when using login. (bsc#975865, CVE-2015-8325) - Limit the accepted password length (prevents a possible denial of service). (bsc#992533, CVE-2016-6515) - Relax version requires for the openssh-askpass sub-package. (bsc#962794) - Avoid complaining about unset DISPLAY variable. (bsc#981654) - Initialize message id to prevent connection breakups in some cases. (bsc#959096) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-27
    plugin id 93735
    published 2016-09-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93735
    title SUSE SLES11 Security Update : openssh (SUSE-SU-2016:2388-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0465.NASL
    description Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.
    last seen 2017-10-29
    modified 2017-08-15
    plugin id 90078
    published 2016-03-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90078
    title RHEL 7 : openssh (RHSA-2016:0465)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-0BCAB055A7.NASL
    description This update provides recent upstrem fix published with openssh-7.2p2 (#1316529). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-10-18
    plugin id 90209
    published 2016-03-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90209
    title Fedora 24 : openssh-7.2p2-1.fc24 (2016-0bcab055a7)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_E4644DF8E7DA11E5829DC80AA9043978.NASL
    description The OpenSSH project reports : Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1). Injection of xauth commands grants the ability to read arbitrary files under the authenticated user's privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth(1), which was not written with a hostile user in mind, as an attack surface. Mitigation : Set X11Forwarding=no in sshd_config. This is the default. For authorized_keys that specify a 'command' restriction, also set the 'restrict' (available in OpenSSH >=7.2) or 'no-x11-forwarding' restrictions.
    last seen 2017-10-29
    modified 2016-10-19
    plugin id 89897
    published 2016-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89897
    title FreeBSD : openssh -- command injection when X11Forwarding is enabled (e4644df8-e7da-11e5-829d-c80aa9043978)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-BB59DB3C86.NASL
    description This update provides recent upstream (security) release, sanitizing X11 authentication credentials. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-10-18
    plugin id 89887
    published 2016-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89887
    title Fedora 23 : openssh-7.2p2-1.fc23 (2016-bb59db3c86)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160321_OPENSSH_ON_SL6_X.NASL
    description It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.
    last seen 2017-10-29
    modified 2016-10-19
    plugin id 90080
    published 2016-03-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90080
    title Scientific Linux Security Update : openssh on SL6.x i386/x86_64
  • NASL family AIX Local Security Checks
    NASL id AIX_OPENSSH_ADVISORY8.NASL
    description The remote AIX host has a version of OpenSSH installed that is affected by the following vulnerabilities : - A remote code execution vulnerability exists in the sshd server component of OpenSSH due to improper sanitization of X11 authentication credentials. An authenticated, remote attacker can exploit this vulnerability to inject arbitrary xauth commands. (CVE-2016-3115) - A security bypass vulnerability exists in the sshd server component of OpenSSH due to improper error handling. An authenticated, remote attacker can exploit this vulnerability, when an authentication cookie is generated during untrusted X11 forwarding, to gain access to the X server on the host system. (CVE-2016-1908)
    last seen 2017-10-29
    modified 2016-09-01
    plugin id 90942
    published 2016-05-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90942
    title AIX OpenSSH Advisory : openssh_advisory8.asc
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1528-1.NASL
    description openssh was updated to fix three security issues. These security issues were fixed : - CVE-2016-3115: Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH allowed remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions (bsc#970632). - CVE-2016-1908: Possible fallback from untrusted to trusted X11 forwarding (bsc#962313). - CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes (bsc#975865). These non-security issues were fixed : - Correctly parse GSSAPI KEX algorithms (bsc#961368) - More verbose FIPS mode/CC related documentation in README.FIPS (bsc#965576, bsc#960414) - Fix PRNG re-seeding (bsc#960414, bsc#729190) - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) - Allow empty Match blocks (bsc#961494) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-08-16
    plugin id 91655
    published 2016-06-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91655
    title SUSE SLES11 Security Update : openssh (SUSE-SU-2016:1528-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-668.NASL
    description This update for OpenSSH fixes three security issues. These security issues were fixed : - CVE-2016-3115: Sanitise input for xauth(1) (bsc#970632) - CVE-2016-1908: Prevent X11 SECURITY circumvention when forwarding X11 connections (bsc#962313) - CVE-2015-8325: Ignore PAM environment when using login (bsc#975865) These non-security issues were fixed : - Fix help output of sftp (bsc#945493) - Restarting openssh with openssh-fips installed was not working correctly (bsc#945484) - Fix crashes when /proc is not available in the chroot (bsc#947458) - Correctly parse GSSAPI KEX algorithms (bsc#961368) - More verbose FIPS mode/CC related documentation in README.FIPS (bsc#965576, bsc#960414) - Fix PRNG re-seeding (bsc#960414, bsc#729190) - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2017-10-29
    modified 2017-04-18
    plugin id 91413
    published 2016-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91413
    title openSUSE Security Update : openssh (openSUSE-2016-668)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0048.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317817) - Restore functionallity of pam_ssh_agent_auth in FIPS mode (#1278315) - Initialize devices_done variable for challenge response (#1281468) - Update behaviour of X11 forwarding to match upstream (#1299048) - Ammends previous release, fixing typos and behaviour changes
    last seen 2017-10-29
    modified 2017-02-14
    plugin id 91153
    published 2016-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91153
    title OracleVM 3.3 / 3.4 : openssh (OVMSA-2016-0048)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2966-1.NASL
    description Shayan Sadigh discovered that OpenSSH incorrectly handled environment files when the UseLogin feature is enabled. A local attacker could use this issue to gain privileges. (CVE-2015-8325) Ben Hawkes discovered that OpenSSH incorrectly handled certain network traffic. A remote attacker could possibly use this issue to cause OpenSSH to crash, resulting in a denial of service. This issue only applied to Ubuntu 15.10. (CVE-2016-1907) Thomas Hoger discovered that OpenSSH incorrectly handled untrusted X11 forwarding when the SECURITY extension is disabled. A connection configured as being untrusted could get switched to trusted in certain scenarios, contrary to expectations. (CVE-2016-1908) It was discovered that OpenSSH incorrectly handled certain X11 forwarding data. A remote authenticated attacker could possibly use this issue to bypass certain intended command restrictions. (CVE-2016-3115). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-08-16
    plugin id 91086
    published 2016-05-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91086
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : openssh vulnerabilities (USN-2966-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160321_OPENSSH_ON_SL7_X.NASL
    description It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.
    last seen 2017-10-29
    modified 2017-04-18
    plugin id 90081
    published 2016-03-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90081
    title Scientific Linux Security Update : openssh on SL7.x x86_64
packetstorm via4
redhat via4
advisories
  • bugzilla
    id 1316829
    title CVE-2016-3115 openssh: missing sanitisation of input for X11 forwarding
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment openssh is earlier than 0:6.6.1p1-25.el7_2
          oval oval:com.redhat.rhsa:tst:20160465017
        • comment openssh is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884006
      • AND
        • comment openssh-askpass is earlier than 0:6.6.1p1-25.el7_2
          oval oval:com.redhat.rhsa:tst:20160465009
        • comment openssh-askpass is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884008
      • AND
        • comment openssh-clients is earlier than 0:6.6.1p1-25.el7_2
          oval oval:com.redhat.rhsa:tst:20160465007
        • comment openssh-clients is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884014
      • AND
        • comment openssh-keycat is earlier than 0:6.6.1p1-25.el7_2
          oval oval:com.redhat.rhsa:tst:20160465011
        • comment openssh-keycat is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150425012
      • AND
        • comment openssh-ldap is earlier than 0:6.6.1p1-25.el7_2
          oval oval:com.redhat.rhsa:tst:20160465013
        • comment openssh-ldap is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884012
      • AND
        • comment openssh-server is earlier than 0:6.6.1p1-25.el7_2
          oval oval:com.redhat.rhsa:tst:20160465019
        • comment openssh-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884016
      • AND
        • comment openssh-server-sysvinit is earlier than 0:6.6.1p1-25.el7_2
          oval oval:com.redhat.rhsa:tst:20160465015
        • comment openssh-server-sysvinit is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150425016
      • AND
        • comment pam_ssh_agent_auth is earlier than 0:0.9.3-9.25.el7_2
          oval oval:com.redhat.rhsa:tst:20160465005
        • comment pam_ssh_agent_auth is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884010
    rhsa
    id RHSA-2016:0465
    released 2016-03-21
    severity Moderate
    title RHSA-2016:0465: openssh security update (Moderate)
  • bugzilla
    id 1316829
    title CVE-2016-3115 openssh: missing sanitisation of input for X11 forwarding
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment openssh is earlier than 0:5.3p1-114.el6_7
          oval oval:com.redhat.rhsa:tst:20160466005
        • comment openssh is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884006
      • AND
        • comment openssh-askpass is earlier than 0:5.3p1-114.el6_7
          oval oval:com.redhat.rhsa:tst:20160466015
        • comment openssh-askpass is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884008
      • AND
        • comment openssh-clients is earlier than 0:5.3p1-114.el6_7
          oval oval:com.redhat.rhsa:tst:20160466011
        • comment openssh-clients is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884014
      • AND
        • comment openssh-ldap is earlier than 0:5.3p1-114.el6_7
          oval oval:com.redhat.rhsa:tst:20160466007
        • comment openssh-ldap is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884012
      • AND
        • comment openssh-server is earlier than 0:5.3p1-114.el6_7
          oval oval:com.redhat.rhsa:tst:20160466013
        • comment openssh-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884016
      • AND
        • comment pam_ssh_agent_auth is earlier than 0:0.9.3-114.el6_7
          oval oval:com.redhat.rhsa:tst:20160466009
        • comment pam_ssh_agent_auth is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884010
    rhsa
    id RHSA-2016:0466
    released 2016-03-21
    severity Moderate
    title RHSA-2016:0466: openssh security update (Moderate)
rpms
  • openssh-0:6.6.1p1-25.el7_2
  • openssh-askpass-0:6.6.1p1-25.el7_2
  • openssh-clients-0:6.6.1p1-25.el7_2
  • openssh-keycat-0:6.6.1p1-25.el7_2
  • openssh-ldap-0:6.6.1p1-25.el7_2
  • openssh-server-0:6.6.1p1-25.el7_2
  • openssh-server-sysvinit-0:6.6.1p1-25.el7_2
  • pam_ssh_agent_auth-0:0.9.3-9.25.el7_2
  • openssh-0:5.3p1-114.el6_7
  • openssh-askpass-0:5.3p1-114.el6_7
  • openssh-clients-0:5.3p1-114.el6_7
  • openssh-ldap-0:5.3p1-114.el6_7
  • openssh-server-0:5.3p1-114.el6_7
  • pam_ssh_agent_auth-0:0.9.3-114.el6_7
refmap via4
bid 84314
confirm
fedora
  • FEDORA-2016-08e5803496
  • FEDORA-2016-0bcab055a7
  • FEDORA-2016-188267b485
  • FEDORA-2016-bb59db3c86
  • FEDORA-2016-d339d610c1
  • FEDORA-2016-fc1cc33e05
freebsd FreeBSD-SA-16:14
fulldisc
  • 20160314 CVE-2016-3115 - OpenSSH <=7.2p1 xauth injection
  • 20160314 CVE-2016-3116 - Dropbear SSH xauth injection
gentoo GLSA-201612-18
misc
sectrack 1035249
Last major update 02-12-2016 - 22:26
Published 22-03-2016 - 06:59
Last modified 30-06-2017 - 21:29
Back to Top