Red Hat Bugzilla – Bug 456426
CVE-2008-3259 openssh: SO_REUSEADDR insecure for X11 forwarding sockets on some platforms
Last modified: 2012-09-20 15:46:19 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3259 to the following vulnerability:
OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the
X11UseLocalhost configuration setting is disabled, which allows local
users on some platforms to hijack the X11 forwarding port via a bind
to a single IP address, as demonstrated on the HP-UX platform.
Upstream bug report with the patch:
This issue does not affect openssh packages as shipped with Red Hat Enterprise
Linux 2.1, 3, 4, and 5, and Fedora.
Bit more context:
As mentioned in the upstream announcement, this problem does not affect Linux
systems. If any process is listening on some interface/IP using some TCP port,
Linux will refuse other process to bind the same port using the same
interface/IP or INADDR_ANY.
Additionally, there are few more mitigating factors:
Default sshd_config does not set X11UseLocalhost, so default value (yes) is
used, therefore one of the preconditions required to exploit this issue is not
met in the default configuration.
Usage of SO_REUSEADDR option for X11 forwarding sockets was introduced upstream
via following patch / upstream bug report:
This was introduced upstream post-4.3p1, therefore no version of openssh as
shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5 tries to set SO_REUSEADDR
option for X11 forwarding sockets.