FixVibe
Research notemedium

OpenSSH CRLF Injection in X11 Forwarding (CVE-2016-3115)

OpenSSH versions prior to 7.2p2 are vulnerable to multiple CRLF injection flaws in session.c. These vulnerabilities allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data.

CVE-2016-3115CWE-93

Attacker Impact

Remote authenticated users can exploit this vulnerability to bypass intended shell-command restrictions, potentially executing unauthorized commands on the target system [S1].

Root Cause

The vulnerability stems from multiple CRLF (Carriage Return Line Feed) injection flaws in the session.c file of the sshd daemon [S1]. Specifically, the do_authenticated1 and session_x11_req functions fail to properly sanitize crafted X11 forwarding data, allowing attackers to inject control characters [S1].

Concrete Fixes

To remediate this issue, administrators should upgrade OpenSSH to version 7.2p2 or later [S1].

Detection and Mitigation

Organizations can identify exposure by auditing the version of OpenSSH running on their servers to determine if it is a version prior to 7.2p2 [S1]. While the primary fix is a software update, disabling X11 forwarding in the sshd_config file may mitigate the specific attack vector if the functionality is not required [S1].

OpenSSH CRLF Injection in X11 Forwarding (CVE-2016-3115) β€” FixVibe research Β· FixVibe