SSH/X11 vulnerability

To: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: SSH/X11 vulnerability
From: Lawrence <ychim@ForeverMail.com>
Date: Wed, 01 Oct 1997 08:50:51 +1000
Message-id: <[🔎] 3431824B.4E1B44CB@ForeverMail.com>

It may be interested to those people using ssh.



------------------------------------------------------------------------
SSH/X11 Vulnerability                                     September 1997
------------------------------------------------------------------------

Systems affected:
        All systems running Secure Shell (SSH) clients and X11.

Description:
        In a firewalled environment insecure protocols normally are not
        allowed to cross network boundaries and to enter the protected
        network environment.

        SSH is able to relay arbitrary TCP connections, especially X11
        traffic is mediated per default.

        If SSH connections may leave the protected network environment
        insecure protocols may unconsciously be imported and exploited.

Impact:
        Everyone who can access foreign .Xauthority files on SSH servers
        is able to access the X server of the SSH client machine. The
        client machine is open to a variety of attack scenarios while
        the SSH session exists.

Exploit:
        See References for a detailed description of the exploit.

Solution:
        Client side (administrator):
        Build SSH clients with "--disable_client_x11_forwarding".
        Set "ForwardX11" to "no" in "/etc/ssh_config".
        Set up packet filters which allow connections destined for
        port 22 only if originated from a privileged port.

        Client side (users):
        Set "ForwardX11" to "no" in "~/.ssh/config".
        Apply the "-x" option when using "ssh".

        Server side (administrator):
        Build SSH servers with "--disable_server_x11_forwarding".
        Set "X11Forwarding" to "no" in "/etc/sshd_config".

References:
        For a more detailed description of the vulnerability, its
        consequences and countermeasures see:

        http://home.braunschweig.netsurf.de/
        ~ulrich.flegel/pub/ssh-x11.ps.gz

-----------------------------------------------------------------------
Copyright (c) 1997 Ulrich Flegel, Ulrich.Flegel@braunschweig.netsurf.de
-----------------------------------------------------------------------


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Prev by Date: Re: XF86Setup trouble
Next by Date: Re: Announcing TIND: This Is Not Dselect
Previous by thread: cdda2wav
Next by thread: Re: Announcing TIND: This Is Not Dselect
Index(es):
- Date
- Thread