OpenSSH on Friday last Wednesday dropped a patch for a vulnerability that could expose files to theft and manipulation.
The flaw affects all versions of OpenSSH prior to 7.2p2 with X11Forwarding enabled, the OpenSSH project said in its advisory.
Unpatched versions of OpenSSH don’t properly sanitize input and can be abused to inject commands to xauth.
“Injection of xauth commands grants the ability to read arbitrary files under the authenticated user’s privilege,” the advisory says. “Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth, which was not written with a hostile user in mind, as an attack surface.”
OpenSSH are network-level security utilities used to encrypt traffic over SSH remote logins. Xauth is a mechanism that handles remote and VPN authentication.
“Xauth is run under the user’s privilege, so this vulnerability offers no additional access to unrestricted accounts, but could circumvent key or account restrictions such as sshd_config ForceCommand, authorized_keys command=”…” or restricted shells,” OpenSSH said.
OpenSSH warns that vulnerable versions don’t sanitize meta-characters from the authentication scheme and credential data sent in an X11 Forwarding session to xauth.
“An attacker could therefore supply a credential that injected commands to xauth,” the advisory says. “The attacker could then use a number of xauth commands to read or overwrite arbitrary files subject to file permissions, connect to local ports or perform attacks on xauth itself. OpenSSH 7.2p2 implements a whitelist of characters that are permitted to appear in X11 authentication credentials.”
This is the second major update of 2016 to OpenSSH. In January, a client vulnerability was patched that could have been exploited to leak private cryptographic keys.
The vulnerability was found by Qualys researchers, who said attackers would have to use a malicious server in order to force a client to give up the key. The vulnerability was found in a non-documented feature called roaming that supports the resumption of interrupted SSH connections.
This article was updated March 14 to correct the day the patch was released from last Friday to last Wednesday.