critical
9.8
CWE
287
Advisory Published
CVE Published
Updated

CVE-2016-1908

First published: Thu Jan 14 2016(Updated: )

It was discovered that OpenSSH client did not correctly handle situations when untrusted X11 forwarding was requested and generation of the untrusted authentication cookie failed. The ssh client continued by generating fake authentication cookie and allowed remote X clients to connect the local X server. The decision if client connection was accepted was delegated to the X server which, depending on its configuration, could allow clients to open trusted X connection. This would lead to remote X clients having more privileged access to the local X server than intended. This problem can occur when X server does not include or enable X Security extension (for X.org X server, this extension is not compiled in by default since 2007) and when it has authentication methods besides MIT cookies enabled (e.g. localuser authentication allowing all X connections from a local user who owns the X session). Both of these conditions are satisfied on Red Hat Enterprise Linux 7 and current Fedora versions. The X server does not have X Security extension compiled in and 'xhost +si:localuser:`id -un`' is run from the xinit scripts. Therefore remote X clients are granted trusted access to the local X server when 'ssh -X' is used, as if 'ssh -Y' was actually used. The X server on Red Hat Enterprise Linux 6 includes X Security extension (as of RHSA-2013:1620 - <a href="http://rhn.redhat.com/errata/RHSA-2013-1620.html">http://rhn.redhat.com/errata/RHSA-2013-1620.html</a> - which was released as part of Red Hat Enterprise Linux 6.5) and hence does not fall back to the use of fake authentication cookie. This issue was corrected upstream in version 7.1p2: <a href="http://www.openssh.com/txt/release-7.1p2">http://www.openssh.com/txt/release-7.1p2</a> Upstream commit: <a href="https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c">https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c</a> which needs to be applied after: <a href="https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f">https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f</a>

Credit: secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
redhat/openssh<7.2
7.2
debian/openssh
1:8.4p1-5+deb11u3
1:9.2p1-2+deb12u3
1:9.8p1-8
OpenSSH<7.2
Debian Linux=8.0
Oracle Linux=6
Oracle Linux=7
Red Hat Enterprise Linux Desktop=6.0
Red Hat Enterprise Linux Desktop=7.0
Red Hat Enterprise Linux Server EUS=7.2
Red Hat Enterprise Linux Server EUS=7.3
Red Hat Enterprise Linux Server EUS=7.4
Red Hat Enterprise Linux Server EUS=7.5
Red Hat Enterprise Linux Server EUS=7.6
Red Hat Enterprise Linux Server EUS=7.7
Red Hat Enterprise Linux Server=6.0
Red Hat Enterprise Linux Server=7.0
Red Hat Enterprise Linux Server=7.2
Red Hat Enterprise Linux Server=7.3
Red Hat Enterprise Linux Server=7.4
Red Hat Enterprise Linux Server=7.6
Red Hat Enterprise Linux Server=7.7
Red Hat Enterprise Linux Server=7.2
Red Hat Enterprise Linux Server=7.3
Red Hat Enterprise Linux Server=7.6
Red Hat Enterprise Linux Server=7.7
Red Hat Enterprise Linux Workstation=6.0
Red Hat Enterprise Linux Workstation=7.0

Remedy

https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c

Remedy

https://bugzilla.redhat.com/show_bug.cgi?id=1298741

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2016-1908?

    The severity of CVE-2016-1908 is considered important as it can allow remote X clients to connect to the local X server improperly.

  • How do I fix CVE-2016-1908?

    To fix CVE-2016-1908, you should upgrade your OpenSSH client to a version that is patched against this vulnerability, specifically to versions above 7.2 for Red Hat and appropriate versions for Debian.

  • Which software is affected by CVE-2016-1908?

    CVE-2016-1908 affects several OpenSSH versions, notably versions up to and including 7.2.

  • What are the potential consequences of CVE-2016-1908?

    The potential consequences of CVE-2016-1908 include unauthorized access to the local X server, leading to potential data exposure or remote command execution.

  • Is my system vulnerable to CVE-2016-1908?

    You may be vulnerable to CVE-2016-1908 if you are running an affected version of OpenSSH prior to 7.2, so please verify your software version.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203