CCE-95770-4| Platform: cpe:/o:ubuntu:ubuntu_linux:20.04 | Date: (C)2024-02-12 (M)2024-02-12 |
When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.
Fixtext:
Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11UseLocalhost" keyword and set its value to "yes"
Parameter:
[Yes/No]
Technical Mechanism:
Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11UseLocalhost" keyword and set its value to "yes"
| CCSS Severity: | CCSS Metrics: |
| CCSS Score : 7.5 | Attack Vector: NETWORK |
| Exploit Score: 2.5 | Attack Complexity: LOW |
| Impact Score: 3.6 | Privileges Required: NONE |
| Severity: MEDIUM | User Interaction: NONE |
| Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | Scope: UNCHANGED |
| | Confidentiality: HIGH |
| | Integrity: NONE |
| | Availability: NONE |
| | |
References: | Resource Id | Reference |
|---|
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:97828 |
