Systems affected:
All systems running Secure Shell (SSH) clients and X11.
Description:
In a firewalled environment insecure protocols normally are not
allowed to cross network boundaries and to enter the protected
network environment.
SSH is able to relay arbitrary TCP connections, especially X11
traffic is mediated per default.
If SSH connections may leave the protected network environment
insecure protocols may unconsciously be imported and exploited.
Impact:
Everyone who can access foreign .Xauthority files on SSH servers
is able to access the X server of the SSH client machine. The
client machine is open to a variety of attack scenarios while
the SSH session exists.
Exploit:
See References for a detailed description of the exploit.
Solution:
Client side (administrator):
Build SSH clients with "--disable_client_x11_forwarding".
Set "ForwardX11" to "no" in "/etc/ssh_config".
Set up packet filters which allow connections destined for
port 22 only if originated from a privileged port.
Client side (users):
Set "ForwardX11" to "no" in "~/.ssh/config".
Apply the "-x" option when using "ssh".
Server side (administrator):
Build SSH servers with "--disable_server_x11_forwarding".
Set "X11Forwarding" to "no" in "/etc/sshd_config".
References:
For a more detailed description of the vulnerability, its
consequences and countermeasures see:
http://home.braunschweig.netsurf.de/
~ulrich.flegel/pub/ssh-x11.ps.gz
-----------------------------------------------------------------------
Copyright (c) 1997 Ulrich Flegel, Ulrich.Flegel@braunschweig.netsurf.de
-----------------------------------------------------------------------