Lucene search

HistoryMar 18, 2016 - 12:00 a.m.

OpenSSH < 7.2 Untrusted X11 Forwarding Fallback Security Bypass

2016-03-1800:00:00

www.tenable.com

177

9.4 High

AI Score

Confidence

High

JSON

According to its banner, the version of OpenSSH running on the remote host is prior to 7.2. It is, therefore, affected by a security bypass vulnerability due to a flaw in ssh(1) that is triggered when it falls back from untrusted X11 forwarding to trusted forwarding when the SECURITY extension is disabled by the X server. This can result in untrusted X11 connections that can be exploited by a remote attacker.

#
# (C) Tenable, Inc.
#

include("compat.inc");

if (description)
{
  script_id(90022);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/27");

  script_cve_id("CVE-2016-1908");

  script_name(english:"OpenSSH < 7.2 Untrusted X11 Forwarding Fallback Security Bypass");
  script_summary(english:"Checks the OpenSSH banner version.");

  script_set_attribute(attribute:"synopsis", value:
"The SSH server running on the remote host is affected by a security
bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of OpenSSH running on the remote
host is prior to 7.2. It is, therefore, affected by a security bypass
vulnerability due to a flaw in ssh(1) that is triggered when it falls
back from untrusted X11 forwarding to trusted forwarding when the
SECURITY extension is disabled by the X server. This can result in
untrusted X11 connections that can be exploited by a remote attacker.");
  script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-7.2");
  script_set_attribute(attribute:"solution", value:
"Upgrade to OpenSSH version 7.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1908");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/02/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/02/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/18");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("openssh_detect.nbin");
  script_require_keys("installed_sw/OpenSSH");
  script_require_ports("Services/ssh", 22);

  exit(0);
}

include('backport.inc');
include('vcf.inc');
include('vcf_extras.inc');

var port = get_service(svc:'ssh', default:22, exit_on_fail:TRUE);
var app_info = vcf::openssh::get_app_info(app:'OpenSSH', port:port);

vcf::check_all_backporting(app_info:app_info);

var constraints = [
  {'fixed_version' : '7.2' }
];

vcf::openssh::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

VendorProductVersionCPE
openbsdopensshcpe:/a:openbsd:openssh

Vendor	Product	Version	CPE
openbsd	openssh		cpe:/a:openbsd:openssh

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1908

www.openssh.com/txt/release-7.2

9.4 High

AI Score

Confidence

High

JSON

Related for OPENSSH_72.NASL