A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session.
Weakness
The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Openssh-ssh1 | Ubuntu | devel | * |
| Openssh-ssh1 | Ubuntu | esm-apps/bionic | * |
| Openssh-ssh1 | Ubuntu | esm-apps/focal | * |
| Openssh-ssh1 | Ubuntu | esm-apps/jammy | * |
| Openssh-ssh1 | Ubuntu | esm-apps/noble | * |
| Openssh-ssh1 | Ubuntu | esm-apps/resolute | * |
| Openssh-ssh1 | Ubuntu | jammy | * |
| Openssh-ssh1 | Ubuntu | noble | * |
| Openssh-ssh1 | Ubuntu | questing | * |
| Openssh-ssh1 | Ubuntu | resolute | * |
| Openssh-ssh1 | Ubuntu | upstream | * |
Extended Description
Attackers might be able to spoof the intended endpoint from a different system or process, thus gaining the same level of access as the intended endpoint. While this issue frequently involves authentication between network-based clients and servers, other types of communication channels and endpoints can have this weakness.
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/161.html
- https://cwe.mitre.org/data/definitions/481.html
- https://cwe.mitre.org/data/definitions/501.html
- https://cwe.mitre.org/data/definitions/697.html