CCE-95634-2| Platform: cpe:/o:ubuntu:ubuntu_linux:16.04, cpe:/o:ubuntu:ubuntu_linux:18.04, cpe:/o:ubuntu:ubuntu_linux:20.04, cpe:/o:ubuntu:ubuntu_linux:22.04, cpe:/o:ubuntu:ubuntu_linux:23.04 | Date: (C)2021-03-08 (M)2023-09-01 |
SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines.
Rationale:
Leaving port forwarding enabled can expose the organization to security risks and backdoors.
Fix:
Edit /etc/ssh/sshd_config file to set the parameter as follows: AllowTcpForwarding no
Parameter:
[yes/no]
Technical Mechanism:
Edit /etc/ssh/sshd_config file to set the parameter as follows: AllowTcpForwarding no
| CCSS Severity: | CCSS Metrics: |
| CCSS Score : 8.4 | Attack Vector: LOCAL |
| Exploit Score: 2.5 | Attack Complexity: LOW |
| Impact Score: 5.9 | Privileges Required: NONE |
| Severity: HIGH | User Interaction: NONE |
| Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| | Confidentiality: HIGH |
| | Integrity: HIGH |
| | Availability: HIGH |
| | |
References: | Resource Id | Reference |
|---|
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:68687 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:70677 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:92201 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:85211 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:70767 |
