Bug 456426 - (CVE-2008-3259) CVE-2008-3259 openssh: SO_REUSEADDR insecure for X11 forwarding sockets on some platforms
CVE-2008-3259 openssh: SO_REUSEADDR insecure for X11 forwarding sockets on so...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=cve,reported=20080722,public=2...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-23 10:31 EDT by Tomas Hoger
Modified: 2012-09-20 15:46 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-23 12:30:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-07-23 10:31:59 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3259 to the following vulnerability:

OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the
X11UseLocalhost configuration setting is disabled, which allows local
users on some platforms to hijack the X11 forwarding port via a bind
to a single IP address, as demonstrated on the HP-UX platform.

References:
http://www.openssh.com/txt/release-5.1
http://secunia.com/advisories/31179

Upstream bug report with the patch:
https://bugzilla.mindrot.org/show_bug.cgi?id=1464
Comment 1 Tomas Hoger 2008-07-23 12:30:40 EDT
This issue does not affect openssh packages as shipped with Red Hat Enterprise
Linux 2.1, 3, 4, and 5, and Fedora.

Bit more context:
As mentioned in the upstream announcement, this problem does not affect Linux
systems.  If any process is listening on some interface/IP using some TCP port,
Linux will refuse other process to bind the same port using the same
interface/IP or INADDR_ANY.

Additionally, there are few more mitigating factors:
Default sshd_config does not set X11UseLocalhost, so default value (yes) is
used, therefore one of the preconditions required to exploit this issue is not
met in the default configuration.

Usage of SO_REUSEADDR option for X11 forwarding sockets was introduced upstream
via following patch / upstream bug report:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.225&r2=1.226&f=h
https://bugzilla.mindrot.org/show_bug.cgi?id=1076

This was introduced upstream post-4.3p1, therefore no version of openssh as
shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5 tries to set SO_REUSEADDR
option for X11 forwarding sockets. 

Note You need to log in before you can comment on or make changes to this bug.