OpenSSH Xauth Command Injection Vulnerability – Ubuntu 14.04 – PCI Compliance

I’m just going through PCI Compliance for a company that I work for. The security scan picked an apparent vulnerability in the open-ssh server. The vulnerability had been patched in Ubuntu 14.04 and so this is a false positive. I thought that I post put about it because I found lots of posts where people are trying to compile their the latest open-ssh servers to get around this problem – when in fact it isn’t actually a problems. Compiling your own version of the open-ssh server isn’t recommended because you will have to continually patch the package yourself from then on.

The warning text said:

Threat:
OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol.

The sshd server fails to validate user-supplied X11 authentication credentials when establishing an X11 forwarding session. An authenticated user may inject arbitrary xauth commands by sending an x11 channel request that includes a newline character in the x11 cookie.
Please note that Systems with X11Forwarding enabled are affected.

Affected Versions:
OpenSSH versions prior to 7.2p2
Impact:
An authenticated, remote attacker can exploit this vulnerability to execute arbitrary commands on the targeted system.
Solution:
Users are advised to upgrade to the latest version of the software available. Refer to OpenSSH 7.2p2 Release Notes for further information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

OpenSSH 7.2p2
Result:
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 detected on port 22 over TCP.

I hope this is helpful to someone.