Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3259 to the following vulnerability: OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the X11UseLocalhost configuration setting is disabled, which allows local users on some platforms to hijack the X11 forwarding port via a bind to a single IP address, as demonstrated on the HP-UX platform. References: http://www.openssh.com/txt/release-5.1 http://secunia.com/advisories/31179 Upstream bug report with the patch: https://bugzilla.mindrot.org/show_bug.cgi?id=1464
This issue does not affect openssh packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Fedora. Bit more context: As mentioned in the upstream announcement, this problem does not affect Linux systems. If any process is listening on some interface/IP using some TCP port, Linux will refuse other process to bind the same port using the same interface/IP or INADDR_ANY. Additionally, there are few more mitigating factors: Default sshd_config does not set X11UseLocalhost, so default value (yes) is used, therefore one of the preconditions required to exploit this issue is not met in the default configuration. Usage of SO_REUSEADDR option for X11 forwarding sockets was introduced upstream via following patch / upstream bug report: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.225&r2=1.226&f=h https://bugzilla.mindrot.org/show_bug.cgi?id=1076 This was introduced upstream post-4.3p1, therefore no version of openssh as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5 tries to set SO_REUSEADDR option for X11 forwarding sockets.