OpenSSH Xauth Command Injection Vulnerability – Ubuntu 14.04 – PCI Compliance

I’m just going through PCI Compliance for a company that I work for. The security scan picked an apparent vulnerability in the open-ssh server. The vulnerability had been patched in Ubuntu 14.04 and so this is a false positive. I thought that I post put about it because I found lots of posts where people are trying to compile their the latest open-ssh servers to get around this problem – when in fact it isn’t actually a problems. Compiling your own version of the open-ssh server isn’t recommended because you will have to continually patch the package yourself from then on.

The warning text said:

OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol.

The sshd server fails to validate user-supplied X11 authentication credentials when establishing an X11 forwarding session. An authenticated user may inject arbitrary xauth commands by sending an x11 channel request that includes a newline character in the x11 cookie.
Please note that Systems with X11Forwarding enabled are affected.

Affected Versions:
OpenSSH versions prior to 7.2p2
An authenticated, remote attacker can exploit this vulnerability to execute arbitrary commands on the targeted system.
Users are advised to upgrade to the latest version of the software available. Refer to OpenSSH 7.2p2 Release Notes for further information.

Following are links for downloading patches to fix the vulnerabilities:

OpenSSH 7.2p2
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 detected on port 22 over TCP.

I hope this is helpful to someone.

Leave a Reply