CVE-2015-5352

Vulnerability

In OpenSSH versions prior to 6.9, the x11_open_helper function in channels.c lacks a check of the refusal deadline for X11 connections when ForwardX11Trusted mode is not used (i.e., ForwardX11Trusted=no). This means that after the ForwardX11Timeout period has expired, the client socket is not properly refused, and subsequent X11 connections may still be permitted without the expected XSECURITY restrictions [2][3].

Exploitation

An attacker who can establish an SSH session with X11 forwarding enabled (ForwardX11Trusted=no) and who initiates X11 connections after the configured ForwardX11Timeout (default 20 minutes) can exploit the missing deadline check. The attacker simply needs to be able to open X11 client connections through the forwarded channel; the ineffective timeout check in ssh(1) coupled with the X11 server's "fail open" behavior allows these connections to proceed [2].

Impact

Successful exploitation allows an attacker to bypass the intended time-based access restrictions and the XSECURITY extensions, potentially gaining access to the X11 display without the restrictions normally applied to untrusted X11 forwarding. This could lead to information disclosure or unauthorized interaction with the X server [1][2].

Mitigation

OpenSSH 6.9, released on 2015-07-01, contains the fix for CVE-2015-5352. Users should upgrade to version 6.9 or later. Red Hat Enterprise Linux patches were made available in RHSA-2016-0741 [1]. No workaround is documented, but users may reduce risk by disabling X11 forwarding or setting ForwardX11Trusted to yes (though this reduces security) [2][3].