CVE-2016-1908

The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
Affected Products (NVD)
VendorProductVersion
openbsdopenssh
𝑥
< 7.2
debiandebian_linux
8.0
redhatenterprise_linux_desktop
6.0
redhatenterprise_linux_desktop
7.0
redhatenterprise_linux_eus
7.2
redhatenterprise_linux_eus
7.3
redhatenterprise_linux_eus
7.4
redhatenterprise_linux_eus
7.5
redhatenterprise_linux_eus
7.6
redhatenterprise_linux_eus
7.7
redhatenterprise_linux_server
6.0
redhatenterprise_linux_server
7.0
redhatenterprise_linux_server_aus
7.2
redhatenterprise_linux_server_aus
7.3
redhatenterprise_linux_server_aus
7.4
redhatenterprise_linux_server_aus
7.6
redhatenterprise_linux_server_aus
7.7
redhatenterprise_linux_server_tus
7.2
redhatenterprise_linux_server_tus
7.3
redhatenterprise_linux_server_tus
7.6
redhatenterprise_linux_server_tus
7.7
redhatenterprise_linux_workstation
6.0
redhatenterprise_linux_workstation
7.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openssh
bookworm
1:9.2p1-2+deb12u3
fixed
bookworm (security)
1:9.2p1-2+deb12u3
fixed
bullseye
1:8.4p1-5+deb11u3
fixed
bullseye (security)
1:8.4p1-5+deb11u3
fixed
sid
1:9.9p1-3
fixed
squeeze
no-dsa
trixie
1:9.9p1-3
fixed
wheezy
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openssh
precise
Fixed 1:5.9p1-5ubuntu1.9
released
trusty
Fixed 1:6.6p1-2ubuntu2.7
released
vivid
ignored
wily
Fixed 1:6.9p1-2ubuntu0.2
released
xenial
not-affected
yakkety
not-affected
zesty
not-affected
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
openssh
RHEL 6
0:5.3p1-117.el6
fixed
RHEL 7
0:6.6.1p1-25.el7_2
fixed
openssh-askpass
RHEL 6
0:5.3p1-117.el6
fixed
RHEL 7
0:6.6.1p1-25.el7_2
fixed
openssh-clients
RHEL 6
0:5.3p1-117.el6
fixed
RHEL 7
0:6.6.1p1-25.el7_2
fixed
openssh-keycat
RHEL 7
0:6.6.1p1-25.el7_2
fixed
openssh-ldap
RHEL 6
0:5.3p1-117.el6
fixed
RHEL 7
0:6.6.1p1-25.el7_2
fixed
openssh-server
RHEL 6
0:5.3p1-117.el6
fixed
RHEL 7
0:6.6.1p1-25.el7_2
fixed
openssh-server-sysvinit
RHEL 7
0:6.6.1p1-25.el7_2
fixed
pam
RHEL 6
0:0.9.3-117.el6
fixed
RHEL 7
0:0.9.3-9.25.el7_2
fixed
Common Weakness Enumeration
References
http://openwall.com/lists/oss-security/2016/01/15/13
http://rhn.redhat.com/errata/RHSA-2016-0465.html
http://rhn.redhat.com/errata/RHSA-2016-0741.html
http://www.openssh.com/txt/release-7.2
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
http://www.securityfocus.com/bid/84427
http://www.securitytracker.com/id/1034705
https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
https://bugzilla.redhat.com/show_bug.cgi?id=1298741
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html
https://security.gentoo.org/glsa/201612-18
http://openwall.com/lists/oss-security/2016/01/15/13
http://rhn.redhat.com/errata/RHSA-2016-0465.html
http://rhn.redhat.com/errata/RHSA-2016-0741.html
http://www.openssh.com/txt/release-7.2
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
http://www.securityfocus.com/bid/84427
http://www.securitytracker.com/id/1034705
https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
https://bugzilla.redhat.com/show_bug.cgi?id=1298741
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html
https://security.gentoo.org/glsa/201612-18