#VU33811 Input validation error in OpenSSH


Published: 2021-06-17

Vulnerability identifier: #VU33811

Vulnerability risk: Medium

CVSSv3.1: 5.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-3115

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
OpenSSH
Server applications / Remote management servers, RDP, SSH

Vendor: OpenSSH

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. <a href="https://cwe.mitre.org/data/definitions/93.html">CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')</a>

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSH: 7.0 - 7.2p1

External links
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.281&r2=1.282&f=h
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183101.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183122.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178838.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179924.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/180491.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184264.html
http://packetstormsecurity.com/files/136234/OpenSSH-7.2p1-xauth-Command-Injection-Bypass.html
http://rhn.redhat.com/errata/RHSA-2016-0465.html
http://rhn.redhat.com/errata/RHSA-2016-0466.html
http://seclists.org/fulldisclosure/2016/Mar/46
http://seclists.org/fulldisclosure/2016/Mar/47
http://www.openssh.com/txt/x11fwd.adv
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.securityfocus.com/bid/84314
http://www.securitytracker.com/id/1035249
http://bto.bluecoat.com/security-advisory/sa121
http://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115
http://lists.debian.org/debian-lts-announce/2018/09/msg00010.html
http://security.gentoo.org/glsa/201612-18
http://www.exploit-db.com/exploits/39569/
http://www.freebsd.org/security/advisories/FreeBSD-SA-16:14.openssh.asc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell VxRail Appliance
Input validation error in OpenSSH
Input validation error in openssh (Alpine package)
Amazon Linux AMI update for openssh
Slackware Linux update for openssh