Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2016-3115 |
CWE-ID | CWE-20 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
OpenSSH Server applications / Remote management servers, RDP, SSH |
Vendor | OpenSSH |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU33811
Risk: Medium
CVSSv3.1: 5.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2016-3115
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote authenticated user to read and manipulate data.
Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. <a href="https://cwe.mitre.org/data/definitions/93.html">CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')</a>
MitigationInstall update from vendor's website.
Vulnerable software versionsOpenSSH: 7.0 - 7.2p1
External linkshttp://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.281&r2=1.282&f=h
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183101.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183122.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178838.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179924.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/180491.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184264.html
http://packetstormsecurity.com/files/136234/OpenSSH-7.2p1-xauth-Command-Injection-Bypass.html
http://rhn.redhat.com/errata/RHSA-2016-0465.html
http://rhn.redhat.com/errata/RHSA-2016-0466.html
http://seclists.org/fulldisclosure/2016/Mar/46
http://seclists.org/fulldisclosure/2016/Mar/47
http://www.openssh.com/txt/x11fwd.adv
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.securityfocus.com/bid/84314
http://www.securitytracker.com/id/1035249
http://bto.bluecoat.com/security-advisory/sa121
http://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115
http://lists.debian.org/debian-lts-announce/2018/09/msg00010.html
http://security.gentoo.org/glsa/201612-18
http://www.exploit-db.com/exploits/39569/
http://www.freebsd.org/security/advisories/FreeBSD-SA-16:14.openssh.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.