Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

OpenSSH Forwarded X11 Connection Session Hijack Vulnerability

 
Threat Type:CWE-20: Input Validation
IntelliShield ID:15536
Version:17
First Published:2008 March 31 20:25 GMT
Last Published:2011 August 18 12:05 GMT
Port: 6010
CVE:CVE-2008-1483
BugTraq ID:28444
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
CVSS Base:1.7 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:1.4
 
 
Version Summary:

MontaVista Software has released a security alert and updated software to address the OpenSSH forwarded X11 connection session hijack vulnerability.

 
 
Description

Globus GSI-OpenSSH versions 4.2 and prior and OpenSSH versions 4.9p1 and prior contain a vulnerability that could allow a local attacker to disclose sensitive information.

The vulnerability exists because of an error in OpenSSH when binding TCP ports on the local IPv6 and IPv4 interfaces.  An attacker may exploit the vulnerability to hijack X11 connections to intercept sensitive information. 

Exploit code is not required.

Globus and OpenSSH have confirmed the vulnerability and released updated software.

 
Warning Indicators

OpenSSH versions 4.9p1 and prior are vulnerable.? Because Globus GSI-OpenSSH is a modified version of OpenSSH, versions 4.2 and prior of this product are vulnerable.

 
IntelliShield Analysis

To exploit the vulnerability, an attacker must have local account access on the system.  This requirement decreases the likelihood of an attack.  Successful exploitation could allow an attacker to hijack forwarded X11 connections simply by listening on TCP port 6010 to intercept the session.  An exploit could lead to sensitive information disclosure.

 
Vendor Announcements

Globus has released a security advisory at the following link: Globus Security Advisory 2008-01

OpenSSH has published a changelog at the following link: OpenSSH 5.0

Apple has released a security update at the following link: Security Update 2008-006 (CVE-2008-1483) 

Attachmate has released a technical note at the following link: 2374

Avaya has released a security advisory at the following link: ASA-2008-205 

FreeBSD has released a security advisory at the following FTP link: FreeBSD-SA-08:05

Gentoo has released a security advisory at the following link: GLSA 200804-03 

HP has released a security bulletin at the following link: HPSBUX02337 

IBM has released a security advisory at the following link: AIX pioout buffer overflow 

Mandriva has released a security advisory at the following link: MDVSA-2008:078 

MontaVista Software has released a security alert for registered users on August 17, 2011, at the following link: MontaVista Security Fixes

NetBSD has released a security advisory at the following FTP link: NetBSD-SA2008-005

Novell has released a knowledgebase article at the following link: Security update for OpenSSH

OpenBSD has released security announcements at the following links: 016: SECURITY FIX: April 3, 2008, 011: SECURITY FIX: April 3, 2008, and 002: SECURITY FIX: April 3, 2008

Slackware has released a security advisory at the following link: SSA:2008-095-01 

Sun has re-released an alert notification at the following link: 237444 

SUSE has released a security summary report at the following link: SUSE-SR:2008:009 

Turbolinux has released a security advisory at the following link: TLSA-2008-14 

Ubuntu has released a security notice at the following link: USN-597-1 

 
Impact

A local attacker could exploit the vulnerability to intercept an X11 forwarding session, which could result in the disclosure of sensitive information.  This information may allow the attacker to launch additional attacks against the vulnerable system.

 
Technical Information

An attacker with local account access could exploit the vulnerability.  Additional authentication is not required.

The vulnerability exists because the sshd daemon does not properly bind and use TCP ports on the local IPv6 interface if required ports on the IPv4 interface are in use.  A local attacker could exploit the vulnerability by causing OpenSSH to set DISPLAY to :10.  This setting allows attackers to listen on TCP port 6010 on the IPv4 interface even if another process is listening on the associated port.  The attacker could hijack forwarded X11 connections and intercept the session.  An exploit could result in the disclosure of sensitive information.

 
Safeguards

Administrators are advised to apply the appropriate updates.

Administrators are advised to restrict local account access.

Administrators are advised to restrict access to TCP port 6010.

 
Patches/Software

Globus has released an updated version at the following link: GSI-OpenSSH 4.3.  Globus has also released a patch at the following FTP link: openssh-5.0p1.patch

An updated version is available at the following link: OpenSSH 5.0

Apple has released updates at the following links:

Security Update 2008-006 Client (Intel)  
Security Update 2008-006 Client (PPC)  
Security Update 2008-006 Server (PPC)  
Security Update 2008-006 Server (Universal)  
Mac OS X 10.5.5 Update  
Mac OS X Server 10.5.5 

Attachmate has released a service pack for registered users at the following link: Reflection for Secure IT UNIX Client and Server 7.0 Service Pack 1 (SP1)

FreeBSD has released a patch at the following link: OpenSSH 

Gentoo updates can be obtained for the following package using the emerge command: net-misc/openssh

HP has released updated software at the following links:

HP-UX B.11.11 A.05.00.012 or subsequent  
HP-UX B.11.23 A.05.00.013 or subsequent 
HP-UX B.11.31 A.05.00.014 or subsequent 

IBM has released a fix at the following link: IBM 

Mandriva products can be updated automatically using MandrivaUpdate.

MontaVista Software has released updated software at the following links:

Pro 4.0.1
CGE 4.0.1
Mobilinux 4.1
Mobilinux 4.0.2

NetBSD has released information on obtaining source code patches at the following FTP link: NetBSD

Novell has released updated packages; users can install the updates using YaST.

OpenBSD has released source code patches at the following FTP links: OpenBSD 4.1, OpenBSD 4.2, and OpenBSD 4.3

Slackware packages can be updated using the upgradepkg command.

Sun has released patches at the following links:

SPARC
Solaris 9 with patch 114356-14 or later
Solaris 10 with patch 126133-03 or later

Intel
Solaris 9 with patch 114357-13 or later
Solaris 10 with patch 126134-03 or later

SUSE has released updated packages; users can install the updates using YaST.

Turbolinux packages can be updated using the turbopkg command.

Ubuntu has released updated packages; users can install the updates using Update Manager.

 
Alert History
 

Version 16, September 17, 2008, 2:03 PM: Apple has released a security update and updated software to address the forwarded X11 connection session hijack vulnerability in OpenSSH.

Version 15, September 22, 2008, 7:59 AM: Sun has re-released an alert notification and patches to address the forwarded X11 connection session hijack vulnerability in OpenSSH.

Version 14, August 20, 2008, 7:06 AM: Attachmate has released a technical note and service pack to address the forwarded X11 connection session hijack vulnerability in OpenSSH.

Version 13, May 22, 2008, 12:23 PM: HP and IBM have released security advisories and updates packages to address the forwarded X11 connection session hijack vulnerability in OpenSSH.

Version 12, May 14, 2008 9:51 AM: Avaya has released a security advisory to address the forwarded X11 connection session hijack vulnerability.

Version 11, May 6, 2008, 10:33 AM: Sun has released an alert notification to address the forwarded X11 connection session hijack vulnerability in sshd shipped with Sun Solaris.

Version 10, April 23, 2008, 9:53 AM: NetBSD has released a security advisory and source code patches to address the forwarded X11 connection session hijack vulnerability in OpenSSH.

Version 9, April 21, 2008, 1:41 PM: FreeBSD has released a security advisory and ports collection updates to address the forwarded X11 connection session hijack vulnerability.

Version 8, April 17, 2008, 3:42 PM: Turbolinux has released a security advisory and updated packages to address the forwarded X11 connection session hijack vulnerability.

Version 7, April 14, 2008, 12:10 PM: SUSE has released a security summary report and updated packages to address the forwarded X11 connection session hijack vulnerability.

Version 6, April 11, 2008, 5:56 PM: Novell has released a knowledgebase article and updated packages to address the forwarded X11 connection session hijack vulnerability.

Version 5, April 8, 2008, 6:27 PM: Globus and Slackware have released security advisories and updated software to address the forwarded X11 connection session hijack vulnerability.

Version 4, April 8, 2008, 10:12 AM: OpenSSH has released an updated version to address the forwarded X11 connection session hijack vulnerability.  OpenBSD has released security announcements and released updated software.

Version 3, April 7, 2008, 11:34 AM: Gentoo has released a security advisory and updated packages to address the OpenSSH forwarded X11 connection session hijack vulnerability.

Version 2, April 2, 2008, 11:07 AM: Ubuntu has released a security notice and updated packages to address the OpenSSH forwarded X11 connection session hijack vulnerability.

Version 1, March 31, 2008, 4:25 PM: OpenSSH contains a vulnerability that could allow a local attacker to hijack forwarded X11 connections, which could allow the attacker to intercept sensitive information.  Updates are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Globus AllianceGSI-OpenSSH 3.0 Base | 3.1 Base | 3.2 Base | 3.3 Base | 3.4 Base | 3.5 Base | 3.6 Base | 3.7 Base | 3.8 Base | 3.9 Base | 4.0 .0 | 4.1 .0 | 4.2 Base
OpenBSDOpenSSH 4.0 Base | 4.0p1 Base | 4.1 Base | 4.1p1 Base | 4.2 Base | 4.2p1 Base | 4.2p2 Base | 4.3 Base | 4.3p1 Base | 4.3p2 Base | 4.4 Base | 4.5 Base | 4.6 Base | 4.7 Base | 4.9 Base | 4.9p1 Base

Associated Products:
AppleMac OS X 10.4.0 Base | 10.4.1 Base | 10.4.2 Base | 10.4.3 Base | 10.4.4 Intel, PPC | 10.4.5 Intel, PPC | 10.4.6 Intel, PPC | 10.4.7 Intel, PPC | 10.4.8 Intel, PPC | 10.4.9 Intel, PPC | 10.4.10 Intel, PPC | 10.4.11 Intel, PPC | 10.5 Intel, PPC | 10.5.1 Intel, PPC | 10.5.2 Intel, PPC | 10.5.3 Intel, PPC | 10.5.4 Intel, PPC
AppleMac OS X Server 10.4.0 Base | 10.4.1 Base | 10.4.2 Base | 10.4.3 Base | 10.4.4 Base | 10.4.5 Base | 10.4.6 Base | 10.4.7 Intel, PPC | 10.4.8 Intel, PPC | 10.4.9 Intel, PPC | 10.4.10 Intel, PPC | 10.4.11 PPC, Intel | 10.5 Intel, PPC | 10.5.1 Intel, PPC | 10.5.2 Intel, PPC | 10.5.3 Intel, PPC | 10.5.4 Intel, PPC
Avaya, Inc.Interactive Response (IR) 2.0 Base | 3.0 Base
FreeBSD ProjectFreeBSD 5.5 Base | 6.0 Base | 6.1 Base | 6.2 Base | 6.3 Base | 7.0 Base
Gentoo Technologies, Inc.Gentoo Linux 2004 .0, .1, .2, .3 | 2005 .0 | 2006 .0, .1 | 2007 .0
Globus AllianceGlobus Toolkit 4.0 .0, .1, .2, .3, .4, .5, .6, .7 | 4.1 .0, .1, .2, .3
HPHP-UX 11.11/11i Base | 11.23 Base | 11.31 Base
IBMAIX 5.2.0 Base | 5.3 Base, .7.0, .7.1 | 6.1 .0
MandrakeSoft, Inc.Linux-Mandrake Corporate Server 3.0 i586, x86_64 | 4.0 i586, x86_64
Mandrivasoft IncMandrivalinux 2007.0 i586, x86_64 | 2007.1 i586, x86_64 | 2008.0 i586, x86_64
Mandrivasoft IncMulti Network Firewall 2.0 i586
MontaVistaMontaVista Linux Professional 4.0.1 | Mobilinux 4.0.2, 4.1 | CGE 4.0.1
NetBSD FoundationNetBSD 3.0 Base | 3.0.1 Base | 3.0.2 Base | 3.0.3 Base | 3.1 Base | 3.1.1 Base | 4.0 Base
Novell, Inc.Novell Linux Desktop 9 x86, x86_64
Novell, Inc.Novell Linux POS 9 Base
Novell, Inc.Novell Open Enterprise Server 2 Base
Novell, Inc.SuSE Linux Enterprise Desktop (SLED) 10 SP1 amd64, SP1 x86, SP1 em64t
OpenBSDOpenBSD 4.1 Base | 4.2 Base | 4.3 Base
Sun Microsystems, Inc.Solaris 9 sparc, intel | 10 sparc, x64/x86
SUSESuSE Linux 10.0 i386, i586, x86_64, PowerPC | 10.1 i586, x86, x86_64, PPC, PPC64
SUSESuSE Linux Desktop 1.0 Base
SUSESUSE Linux Enterprise Desktop (SLED) 10 SP1 amd64, SP1 x86, SP1 em64t
SUSESuSE Linux Enterprise Server 8 amd64, itanium2, iSeries, pSeries, x86, zSeries (s/390), zSeries (s/390x) | 9 IBM Power, IPF (itanium), iSeries, pSeries, s/390, x86, x86-64 (amd64, em64t), zSeries, zSeries 64bit | 10 AMD64, Intel EM64T, Itanium (IPF), IBM Power, x86, zSeries, zSeries 64bit, iSeries, pSeries, SP1 AMD64, SP1 Intel EM64T, SP1 Itanium (IPF), SP1 IBM Power, SP1 x86, SP1 zSeries 64bit
SUSESuSE Linux Openexchange Server 4.1 Base
SUSESuSE Linux Retail Solution 8 Base
SUSESuSE Linux Standard Server 8 Base
The Slackware Linux ProjectSlackware Linux 8.1 i386 | 9.0 i386 | 9.1 i486 | 10.0 i486 | 10.1 i486 | 10.2 i486 | 11.0 i486 | 12.0 i486
Turbolinux, Inc.Turbolinux Appliance Server 2.0 i586
Turbolinux, Inc.Turbolinux Appliance Server Hosting Edition 1.0 i586
Turbolinux, Inc.Turbolinux Appliance Server Workgroup Edition 1.0 i586
Turbolinux, Inc.Turbolinux Server 10 i586, x64 | 11 x86_64, i686
Ubuntu LinuxUbuntu Linux 6.06 LTS Desktop AMD64, Intel x86, PowerPC, SPARC | 6.06 LTS Server AMD64, Intel x86, PowerPC, SPARC | 6.10 AMD64, Intel x86, PowerPC, sparc | 7.04 AMD64, Intel x86, PowerPC, sparc | 7.10 AMD64, Intel x86, powerpc, PPC, SPARC
WRQ, Inc.Reflection for Secure IT for UNIX 7.0 Base




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield