CCE-96067-4| Platform: cpe:/o:suse:suse_linux_enterprise_server:15 | Date: (C)2022-09-27 (M)2023-07-04 |
Description
The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections.
Rationale
Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders.
Remediation
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
X11Forwarding no
Parameter:
[yes/no]
Technical Mechanism:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
X11Forwarding no
| CCSS Severity: | CCSS Metrics: |
| CCSS Score : 8.5 | Attack Vector: NETWORK |
| Exploit Score: 1.8 | Attack Complexity: HIGH |
| Impact Score: 6.0 | Privileges Required: LOW |
| Severity: HIGH | User Interaction: NONE |
| Vector: AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | Scope: CHANGED |
| | Confidentiality: HIGH |
| | Integrity: HIGH |
| | Availability: HIGH |
| | |
References: | Resource Id | Reference |
|---|
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:84490 |
