CVE-2016-1908
First published: Thu Jan 14 2016(Updated: )
It was discovered that OpenSSH client did not correctly handle situations when untrusted X11 forwarding was requested and generation of the untrusted authentication cookie failed. The ssh client continued by generating fake authentication cookie and allowed remote X clients to connect the local X server. The decision if client connection was accepted was delegated to the X server which, depending on its configuration, could allow clients to open trusted X connection. This would lead to remote X clients having more privileged access to the local X server than intended. This problem can occur when X server does not include or enable X Security extension (for X.org X server, this extension is not compiled in by default since 2007) and when it has authentication methods besides MIT cookies enabled (e.g. localuser authentication allowing all X connections from a local user who owns the X session). Both of these conditions are satisfied on Red Hat Enterprise Linux 7 and current Fedora versions. The X server does not have X Security extension compiled in and 'xhost +si:localuser:`id -un`' is run from the xinit scripts. Therefore remote X clients are granted trusted access to the local X server when 'ssh -X' is used, as if 'ssh -Y' was actually used. The X server on Red Hat Enterprise Linux 6 includes X Security extension (as of RHSA-2013:1620 - <a href="http://rhn.redhat.com/errata/RHSA-2013-1620.html">http://rhn.redhat.com/errata/RHSA-2013-1620.html</a> - which was released as part of Red Hat Enterprise Linux 6.5) and hence does not fall back to the use of fake authentication cookie. This issue was corrected upstream in version 7.1p2: <a href="http://www.openssh.com/txt/release-7.1p2">http://www.openssh.com/txt/release-7.1p2</a> Upstream commit: <a href="https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c">https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c</a> which needs to be applied after: <a href="https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f">https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f</a>
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Openbsd Openssh | <7.2 | |
| Debian Debian Linux | =8.0 | |
| Oracle Linux | =6 | |
| Oracle Linux | =7 | |
| Redhat Enterprise Linux Desktop | =6.0 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Eus | =7.2 | |
| Redhat Enterprise Linux Eus | =7.3 | |
| Redhat Enterprise Linux Eus | =7.4 | |
| Redhat Enterprise Linux Eus | =7.5 | |
| Redhat Enterprise Linux Eus | =7.6 | |
| Redhat Enterprise Linux Eus | =7.7 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Server Aus | =7.2 | |
| Redhat Enterprise Linux Server Aus | =7.3 | |
| Redhat Enterprise Linux Server Aus | =7.4 | |
| Redhat Enterprise Linux Server Aus | =7.6 | |
| Redhat Enterprise Linux Server Aus | =7.7 | |
| Redhat Enterprise Linux Server Tus | =7.2 | |
| Redhat Enterprise Linux Server Tus | =7.3 | |
| Redhat Enterprise Linux Server Tus | =7.6 | |
| Redhat Enterprise Linux Server Tus | =7.7 | |
| Redhat Enterprise Linux Workstation | =6.0 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| redhat/openssh | <7.2 | 7.2 |
| debian/openssh | 1:8.4p1-5+deb11u3 1:9.2p1-2+deb12u3 1:9.8p1-8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://openwall.com/lists/oss-security/2016/01/15/13
- http://rhn.redhat.com/errata/RHSA-2016-0465.html
- http://rhn.redhat.com/errata/RHSA-2016-0741.html
- http://www.openssh.com/txt/release-7.2
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.securityfocus.com/bid/84427
- http://www.securitytracker.com/id/1034705
- https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
- https://bugzilla.redhat.com/show_bug.cgi?id=1298741
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html
- https://security.gentoo.org/glsa/201612-18
- https://launchpad.net/bugs/cve/CVE-2016-1908
- http://rhn.redhat.com/errata/RHSA-2013-1620.html
- http://www.openssh.com/txt/release-7.1p2
- https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f
- http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1298840
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1298841
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1298842
- https://access.redhat.com/security/cve/CVE-2016-1908
- http://seclists.org/oss-sec/2016/q1/115
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1298741#c4
- https://rhn.redhat.com/errata/RHSA-2016-0465.html
- https://rhn.redhat.com/errata/RHSA-2016-0741.html
- https://thejh.net/written-stuff/openssh-6.8-xsecurity
- https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html
- https://lists.debian.org/debian-lts/2016/01/msg00029.html
- https://security-tracker.debian.org/tracker/CVE-2016-1908
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1908
- https://nvd.nist.gov/vuln/detail/CVE-2016-1908
- https://ubuntu.com/security/CVE-2016-1908
- collector/nvd-index
- agent/author
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-1908
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/weakness
- collector/nvd-cve
- source/NVD
- agent/description
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/openbsd
- canonical/openbsd openssh
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/oracle
- canonical/oracle linux
- version/oracle linux/6
- version/oracle linux/7
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/7.2
- version/redhat enterprise linux eus/7.3
- version/redhat enterprise linux eus/7.4
- version/redhat enterprise linux eus/7.5
- version/redhat enterprise linux eus/7.6
- version/redhat enterprise linux eus/7.7
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.2
- version/redhat enterprise linux server aus/7.3
- version/redhat enterprise linux server aus/7.4
- version/redhat enterprise linux server aus/7.6
- version/redhat enterprise linux server aus/7.7
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/7.2
- version/redhat enterprise linux server tus/7.3
- version/redhat enterprise linux server tus/7.6
- version/redhat enterprise linux server tus/7.7
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- version/redhat enterprise linux workstation/7.0
- package-manager/redhat
- package-manager/debian