Title: OpenSSH 'X11UseLocalhost' X11 Forwarding Session Hijacking Vulnerability
Severity: MODERATE
Description:
OpenSSH is a free implementation of the Secure Shell protocol suite. It is available for various operating systems.
OpenSSH is prone to a vulnerability that allows attackers to hijack forwarded X connections.
The issue occurs when the 'X11UseLocalhost' option is set to 'no' in the 'sshd_config' configuration file. This setting makes OpenSSH use 'SO_REUSEADDR' when performing bind operations on a port.
Some operating systems (such as HP-UX) fail to check the effective userid or the overlapping of addresses before allowing rebinding of a port.
Local attackers may be used to perform man-in-the-middle attacks on a forwarded X connection by reusing a port used for it and intercepting the traffic.
NOTE: For an exploit to succeed, the underlying operating system must allow rebinding of a port without checking the effective userid or the overlapping of addresses. Also, the 'X11UseLocalhost' option must be disabled. This option is enabled by default.
The issue affects OpenSSH 5.0; other versions may also be vulnerable.
Affected Products:
- OpenSSH OpenSSH 5.0
References:
- OpenSSH: OpenSSH 5.1 Release Notes
- OpenSSH: OpenSSH Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
