Bug 456426 (CVE-2008-3259)

Summary: CVE-2008-3259 openssh: SO_REUSEADDR insecure for X11 forwarding sockets on some platforms
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3259
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-23 16:30:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-07-23 14:31:59 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3259 to the following vulnerability:

OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the
X11UseLocalhost configuration setting is disabled, which allows local
users on some platforms to hijack the X11 forwarding port via a bind
to a single IP address, as demonstrated on the HP-UX platform.

References:
http://www.openssh.com/txt/release-5.1
http://secunia.com/advisories/31179

Upstream bug report with the patch:
https://bugzilla.mindrot.org/show_bug.cgi?id=1464
Comment 1 Tomas Hoger 2008-07-23 16:30:40 UTC 
This issue does not affect openssh packages as shipped with Red Hat Enterprise
Linux 2.1, 3, 4, and 5, and Fedora.

Bit more context:
As mentioned in the upstream announcement, this problem does not affect Linux
systems.  If any process is listening on some interface/IP using some TCP port,
Linux will refuse other process to bind the same port using the same
interface/IP or INADDR_ANY.

Additionally, there are few more mitigating factors:
Default sshd_config does not set X11UseLocalhost, so default value (yes) is
used, therefore one of the preconditions required to exploit this issue is not
met in the default configuration.

Usage of SO_REUSEADDR option for X11 forwarding sockets was introduced upstream
via following patch / upstream bug report:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.225&r2=1.226&f=h
https://bugzilla.mindrot.org/show_bug.cgi?id=1076

This was introduced upstream post-4.3p1, therefore no version of openssh as
shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5 tries to set SO_REUSEADDR
option for X11 forwarding sockets.