CVE-2016-1908 – openssh: possible fallback from untrusted to trusted X11 forwarding
https://notcve.org/view.php?id=CVE-2016-1908
The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server. El cliente en OpenSSH en versiones anteriores a 7.2 no maneja correctamente falló en la generación de cookies para el reenvío X11 no confiable y confía en el servidor X11 local para las decisiones de control de acceso, lo que permite a los clientes remotos X11 activar un fallback y obtener privilegios de reenvío X11 confiables aprovechando los problemas de configuración de este servidor X11, como lo demuestra la falta de la extensión SECURITY en este servidor X11. An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. • http://openwall.com/lists/oss-security/2016/01/15/13 http://rhn.redhat.com/errata/RHSA-2016-0465.html http://rhn.redhat.com/errata/RHSA-2016-0741.html http://www.openssh.com/txt/release-7.2 http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html http://www.securityfocus.com/bid/84427 http://www.securitytracker.com/id/1034705 https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c https://bugzilla.redhat.com/show_bug.cgi • CWE-284: Improper Access Control CWE-287: Improper Authentication •
CVE-2016-3115 – OpenSSH 7.2p1 - (Authenticated) xauth Command Injection
https://notcve.org/view.php?id=CVE-2016-3115
Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. Múltiples vulnerabilidades de inyección CRLF en session.c en sshd en OpenSSH en versiones anteriores a 7.2p2 permite a usuarios remotos autenticados eludir las restricciones de comandos de shell previstas a través del redireccionamiento de datos X11 manipulados, relacionadas con las funciones (1) do_authenticated1 y (2) session_x11_req. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. OpenSSH versions 7.2p1 and below suffer from a command injection and /bin/false bypass vulnerability via xauth. • https://www.exploit-db.com/exploits/39569 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.281&r2=1.282&f=h http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183101.html http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183122.html http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178838.html http://lists.fedoraproject.org/pipermail& • CWE-20: Improper Input Validation •
CVE-2016-1907
https://notcve.org/view.php?id=CVE-2016-1907
The ssh_packet_read_poll2 function in packet.c in OpenSSH before 7.1p2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic. La función ssh_packet_read_poll2 en packet.c en OpenSSH en versiones anteriores a 7.1p2 permite a atacantes remotos causar una denegación de servicio (lectura fuera de rango y caída de aplicación) a través de tráfico de red manipulado. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176516.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175676.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176349.html http://www.openssh.com/txt/release-7.1p2 http://www.securityfocus.com/bid/81293 https://anongit.mindrot.org/openssh.git/commit/?id=2fecfd486bdba9f51b3a789277bb0733ca36e1c0 https://bto.bluecoat.com/security-advisory/sa109 https://cert-portal.siemens.com/productcert/pd • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2016-0778 – OpenSSH: Client buffer-overflow when using roaming connections
https://notcve.org/view.php?id=CVE-2016-0778
The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings. Las funciones (1) roaming_read y (2) roaming_write en roaming_common.c en el cliente en OpenSSH 5.x, 6.x y 7.x en versiones anteriores a 7.1p2, cuando ciertas opciones proxy y forward se encuentran habilitadas, no mantiene adecuadamente los descriptores de archivo de conexión, lo que permite a servidores remotos causar una denegación de servicio (desbordamiento de buffer basado en memoria dinámica) o posiblemente tener otro impacto no especificado mediante la petición de varios reenvíos. A buffer overflow flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to execute arbitrary code on a successfully authenticated OpenSSH client if that client used certain non-default configuration options. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10734 http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176516.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176349.html http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00007.html http://lists.opensuse.org/opensuse-security-announce/2016-01& • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVE-2016-0777 – OpenSSH: Client Information leak due to use of roaming connection feature
https://notcve.org/view.php?id=CVE-2016-0777
The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key. La función resend_bytes en roaming_common.c en el cliente en OpenSSH 5.x, 6.x y 7.x en versiones anteriores a 7.1p2 permite a servidores remotos obtener información sensible desde la memoria de proceso mediante la petición de transmisión de un buffer completo, según lo demostrado mediante la lectura de una clave privada. An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10734 http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176516.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175592.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175676.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176349.html http://lists.opensuse.org/opensuse-security-announce • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-682: Incorrect Calculation •