#VU33811 Input validation error in OpenSSH - CVE-2016-3115


| Updated: 2021-06-17

Vulnerability identifier: #VU33811

Vulnerability risk: Medium

CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/U:Green]

CVE-ID: CVE-2016-3115

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
OpenSSH
Server applications / Remote management servers, RDP, SSH

Vendor: OpenSSH

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. <a href="https://cwe.mitre.org/data/definitions/93.html">CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')</a>

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSH: 7.0 - 7.2p1

External links
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.281&r2=1.282&f=h
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183101.html
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183122.html
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178838.html
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179924.html
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/180491.html
https://lists.fedoraproject.org/pipermail/package-announce/2016-May/184264.html
https://packetstormsecurity.com/files/136234/OpenSSH-7.2p1-xauth-Command-Injection-Bypass.html
https://rhn.redhat.com/errata/RHSA-2016-0465.html
https://rhn.redhat.com/errata/RHSA-2016-0466.html
https://seclists.org/fulldisclosure/2016/Mar/46
https://seclists.org/fulldisclosure/2016/Mar/47
https://www.openssh.com/txt/x11fwd.adv
https://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
https://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
https://www.securityfocus.com/bid/84314
https://www.securitytracker.com/id/1035249
https://bto.bluecoat.com/security-advisory/sa121
https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115
https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html
https://security.gentoo.org/glsa/201612-18
https://www.exploit-db.com/exploits/39569/
https://www.freebsd.org/security/advisories/FreeBSD-SA-16:14.openssh.asc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell VxRail Appliance
Fedora EPEL 7 update for gsi-openssh
Fedora EPEL 6 update for gsi-openssh
Fedora 24 update for gsi-openssh
Fedora 23 update for gsi-openssh
Fedora 22 update for gsi-openssh
Input validation error in OpenSSH
Input validation error in openssh (Alpine package)
Amazon Linux AMI update for openssh
Fedora 24 update for openssh