ID CVE-2016-1908
Summary The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server.
References
Vulnerable Configurations
  • cpe:2.3:a:openbsd:openssh:2.1.1:p2:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:2.1.1:p2:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:2.5.1:p2:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:2.5.1:p2:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:2.5.2:p2:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:2.5.2:p2:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:2.9:p2:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:2.9:p2:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.6.1:p2:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.6.1:p2:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.7.1:p2:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.7.1:p2:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:4.3:p2:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:4.3:p2:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:5.8:p2:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:5.8:p2:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:6.2:p2:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:6.2:p2:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:7.1:p2:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:7.1:p2:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 11-09-2018 - 10:29)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • bugzilla
    id 1298741
    title CVE-2016-1908 openssh: possible fallback from untrusted to trusted X11 forwarding
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment openssh is earlier than 0:5.3p1-117.el6
          oval oval:com.redhat.rhsa:tst:20160741013
        • comment openssh is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884006
      • AND
        • comment openssh-askpass is earlier than 0:5.3p1-117.el6
          oval oval:com.redhat.rhsa:tst:20160741011
        • comment openssh-askpass is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884008
      • AND
        • comment openssh-clients is earlier than 0:5.3p1-117.el6
          oval oval:com.redhat.rhsa:tst:20160741007
        • comment openssh-clients is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884014
      • AND
        • comment openssh-ldap is earlier than 0:5.3p1-117.el6
          oval oval:com.redhat.rhsa:tst:20160741015
        • comment openssh-ldap is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884012
      • AND
        • comment openssh-server is earlier than 0:5.3p1-117.el6
          oval oval:com.redhat.rhsa:tst:20160741009
        • comment openssh-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884016
      • AND
        • comment pam_ssh_agent_auth is earlier than 0:0.9.3-117.el6
          oval oval:com.redhat.rhsa:tst:20160741005
        • comment pam_ssh_agent_auth is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120884010
    rhsa
    id RHSA-2016:0741
    released 2016-05-10
    severity Moderate
    title RHSA-2016:0741: openssh security, bug fix, and enhancement update (Moderate)
  • rhsa
    id RHSA-2016:0465
rpms
  • openssh-0:6.6.1p1-25.el7_2
  • openssh-askpass-0:6.6.1p1-25.el7_2
  • openssh-clients-0:6.6.1p1-25.el7_2
  • openssh-keycat-0:6.6.1p1-25.el7_2
  • openssh-ldap-0:6.6.1p1-25.el7_2
  • openssh-server-0:6.6.1p1-25.el7_2
  • openssh-server-sysvinit-0:6.6.1p1-25.el7_2
  • pam_ssh_agent_auth-0:0.9.3-9.25.el7_2
  • openssh-0:5.3p1-117.el6
  • openssh-askpass-0:5.3p1-117.el6
  • openssh-clients-0:5.3p1-117.el6
  • openssh-ldap-0:5.3p1-117.el6
  • openssh-server-0:5.3p1-117.el6
  • pam_ssh_agent_auth-0:0.9.3-117.el6
refmap via4
bid 84427
confirm
gentoo GLSA-201612-18
mlist
  • [debian-lts-announce] 20180910 [SECURITY] [DLA 1500-1] openssh security update
  • [oss-security] 20160115 Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778
sectrack 1034705
Last major update 11-09-2018 - 10:29
Published 11-04-2017 - 18:59
Back to Top