Ubuntu 22.04 LTS SSH daemon must prevent remote hosts from connecting to the proxy display.

STIG ID: UBTU-22-255045  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-260530 | 

Vulnerability Discussion

When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.

Check

Verify the SSH server prevents remote hosts from connecting to the proxy display by using the following command:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH 'x11uselocalhost'
/etc/ssh/sshd_config:X11UseLocalhost yes

If "X11UseLocalhost" is set to "no", is commented out, is missing, or conflicting results are returned, this is a finding.

Fix

Configure the SSH server to prevent remote hosts from connecting to the proxy display.

Add or modify the following line in the "/etc/ssh/sshd_config" file:

X11UseLocalhost yes

Restart the SSH daemon for the changes to take effect:

$ sudo systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.