COMMAND

    SSH/X11

SYSTEMS AFFECTED

    All systems running Secure Shell (SSH) clients and X11.

PROBLEM

    Ulrich  Flegel  found  following.   In  a  firewalled  environment
    insecure  protocols  normally  are  not  allowed  to cross network
    boundaries and to enter the protected network environment.

    SSH is  able to  relay arbitrary  TCP connections,  especially X11
    traffic is mediated per default.

    If SSH  connections may  leave the  protected network  environment
    insecure protocols may unconsciously be imported and exploited.

    Everyone who can access  foreign .Xauthority files on  SSH servers
    is able  to access  the X  server of  the SSH  client machine. The
    client machine  is open  to a  variety of  attack scenarios  while
    the SSH session  exists.  For  a more detailed  description of the
    vulnerability, its consequences and countermeasures see:

    http://home.braunschweig.netsurf.de/~ulrich.flegel/pub/ssh-x11.ps.gz

    Tatu Ylonen  pointed out  this is  hardly a  new issue  nor is  it
    really an  SSH problem.   This and  the more  general TCP/IP  port
    forwarding  issue  have  been  discussed  on  the SSH mailing list
    several times over the past two years (1995-97).

    The "attack"  is really  just saying  that if  you have  a corrupt
    server, and you forward X11 to it, it can connect to your local  X
    server.  This is true and avoidable in every scenario I can  think
    of where  your server  is allowed  to make  any X11 connections to
    your  X  server.   You  can  only  avoid  it  by  not allowing X11
    connections from the remote machine at all.

    It is good that Ulrich has written an "exploit" to illustrate  the
    problem, but  the same  "exploit" works  equally well  even if you
    don't  use  SSH  at  all  (assuming  you  still  want to allow X11
    connections).

    X11 forwarding is definitely not a feature that should be entirely
    disabled.  It is extremely useful  for a lot of people.   However,
    disabling it has been made as  flexible as it possibly can be  for
    those who do want to disable it.  SSH has for a long time provided
    options to disable X11 forwarding

        - at compile time
        - in config files
        - on command line.

SOLUTION

    Client side (administrator):

        Build SSH clients with "--disable_client_x11_forwarding".
        Set "ForwardX11" to "no" in "/etc/ssh_config".
        Set up  packet filters  which allow  connections destined  for
        port 22 only if originated from a privileged port.

    Client side (users):

        Set "ForwardX11" to "no" in "~/.ssh/config".
        Apply the "-x" option when using "ssh".

    Server side (administrator):

        Build SSH servers with "--disable_server_x11_forwarding".
        Set "X11Forwarding" to "no" in "/etc/sshd_config".