From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 00:14:55 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ABE4F1065671; Thu, 17 Apr 2008 00:14:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9683C8FC22; Thu, 17 Apr 2008 00:14:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m3H0EtIb028278; Thu, 17 Apr 2008 00:14:55 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m3H0Et3m028277; Thu, 17 Apr 2008 00:14:55 GMT (envelope-from security-advisories@freebsd.org) Date: Thu, 17 Apr 2008 00:14:55 GMT Message-Id: <200804170014.m3H0Et3m028277@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2008 00:14:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:05.openssh Security Advisory The FreeBSD Project Topic: OpenSSH X11-forwarding privilege escalation Category: contrib Module: openssh Announced: 2008-04-17 Credits: Timo Juhani Lindfors Affects: All supported versions of FreeBSD Corrected: 2008-04-16 23:58:33 UTC (RELENG_7, 7.0-STABLE) 2008-04-16 23:58:52 UTC (RELENG_7_0, 7.1-RELEASE-p1) 2008-04-16 23:59:35 UTC (RELENG_6, 6.3-STABLE) 2008-04-16 23:59:48 UTC (RELENG_6_3, 6.3-RELEASE-p2) 2008-04-17 00:00:04 UTC (RELENG_6_2, 6.2-RELEASE-p12) 2008-04-17 00:00:28 UTC (RELENG_6_1, 6.1-RELEASE-p24) 2008-04-17 00:00:41 UTC (RELENG_5, 5.5-STABLE) 2008-04-17 00:00:54 UTC (RELENG_5_5, 5.5-RELEASE-p20) CVE Name: CVE-2008-1483 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. The OpenSSH server daemon (sshd) provides support for the X11 protocol by binding to a port on the server and forwarding any connections which are made to that port. II. Problem Description When logging in via SSH with X11-forwarding enabled, sshd(8) fails to correctly handle the case where it fails to bind to an IPv4 port but successfully binds to an IPv6 port. In this case, applications which use X11 will connect to the IPv4 port, even though it had not been bound by sshd(8) and is therefore not being securely forwarded. III. Impact A malicious user could listen for X11 connections on a unused IPv4 port, e.g tcp port 6010. When an unaware user logs in and sets up X11 fowarding the malicious user can capture all X11 data send over the port, potentially disclosing sensitive information or allowing the execution of commands with the privileges of the user using the X11 forwarding. NOTE WELL: FreeBSD ships with IPv6 enabled by default in the GENERIC and SMP kernels, so users are vulnerable even they have not explicitly enabled IPv6 networking. IV. Workaround Disable support for IPv6 in the sshd(8) daemon by setting the option "AddressFamily inet" in /etc/ssh/sshd_config. Disable support for X11 forwarding in the sshd(8) daemon by setting the option "X11Forwarding no" in /etc/ssh/sshd_config. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, 6-STABLE, or 7-STABLE, or to the RELENG_7_0, RELENG_6_3, RELENG_6_2, RELENG_6_1, RELENG_5_5 security branch dated after the correction date. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 5.5, 6.1, 6.2, 6.3, and 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-08:05/openssh.patch # fetch http://security.FreeBSD.org/patches/SA-08:05/openssh.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/secure/lib/libssh # make obj && make depend && make && make install # cd /usr/src/secure/usr.sbin/sshd # make obj && make depend && make && make install # /etc/rc.d/sshd restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/crypto/openssh/channels.c 1.18.2.1 RELENG_5_5 src/UPDATING 1.342.2.35.2.21 src/sys/conf/newvers.sh 1.62.2.21.2.22 src/crypto/openssh/channels.c 1.18.8.1 RELENG_6 src/crypto/openssh/channels.c 1.20.2.3 RELENG_6_3 src/UPDATING 1.416.2.37.2.6 src/sys/conf/newvers.sh 1.69.2.15.2.5 src/crypto/openssh/channels.c 1.20.2.2.4.1 RELENG_6_2 src/UPDATING 1.416.2.29.2.16 src/sys/conf/newvers.sh 1.69.2.13.2.15 src/crypto/openssh/channels.c 1.20.2.2.2.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.27 src/sys/conf/newvers.sh 1.69.2.11.2.26 src/crypto/openssh/channels.c 1.20.2.1.4.1 RELENG_7 src/crypto/openssh/channels.c 1.23.2.1 RELENG_7_0 src/UPDATING 1.507.2.3.2.5 src/sys/conf/newvers.sh 1.72.2.5.2.5 src/crypto/openssh/channels.c 1.23.4.1 - ------------------------------------------------------------------------- VII. References http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483 http://www.openssh.com/txt/release-5.0 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:05.openssh.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFIBpWTFdaIBMps37IRAomdAJ9hKgp/MG2PbVVojAMjCTtcY6T5HgCeNDxa iA55tmcA3GXbsXAd/flJZO4= =joYI -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 06:22:08 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D729106564A for ; Thu, 17 Apr 2008 06:22:08 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id DECF88FC0A for ; Thu, 17 Apr 2008 06:22:06 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id QAA28457 for ; Thu, 17 Apr 2008 16:07:57 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 17 Apr 2008 16:07:56 +1000 (EST) From: Ian Smith To: freebsd-security@freebsd.org In-Reply-To: <200804170014.m3H0Et3m028277@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2008 06:22:08 -0000 On Thu, 17 Apr 2008, FreeBSD Security Advisories wrote: > IV. Workaround > > Disable support for IPv6 in the sshd(8) daemon by setting the option > "AddressFamily inet" in /etc/ssh/sshd_config. > > Disable support for X11 forwarding in the sshd(8) daemon by setting > the option "X11Forwarding no" in /etc/ssh/sshd_config. It's not quite clear from this whether both workarounds are required, or just either one, until upgrading? cheers, Ian From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 08:59:00 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92F50106566B for ; Thu, 17 Apr 2008 08:59:00 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from imlil.netoyen.net (imlil.netoyen.net [91.121.103.130]) by mx1.freebsd.org (Postfix) with ESMTP id 53DDF8FC1D for ; Thu, 17 Apr 2008 08:59:00 +0000 (UTC) (envelope-from mouss@netoyen.net) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=netoyen.net; h=message-id: date:from:mime-version:to:cc:subject:references:in-reply-to: content-type:content-transfer-encoding; q=dns/txt; s=msa; bh=LEr Pug6YC/9cyCxm4UeAQ+BBFT8=; b=bcJwQmtvaBb1dltKgeuVTjQ9I54je/J78lP EA0zw90ANDA3OV7iAzwwU9I1ZTIGYleLBLLV0qXxWgjYxd5Y2g7b+7OnT3y+MUcs DaTjQDiYst55NcIXvMqG6KrtoiScX448A7tdGrpiNR0V36nB+qEYvxs2gmuGM5Vs q2JxCToY= X-Virus-Scanned: amavisd-new at netoyen.net Received: from [192.168.1.65] (ouzoud.netoyen.net [82.239.111.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mouss@netoyen.net) by imlil.netoyen.net (Postfix) with ESMTPSA id 2A9433ACD891; Thu, 17 Apr 2008 10:39:39 +0200 (CEST) Message-ID: <48070CB0.3050303@netoyen.net> Date: Thu, 17 Apr 2008 10:39:12 +0200 From: mouss User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: Ian Smith References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2008 08:59:00 -0000 Ian Smith wrote: > On Thu, 17 Apr 2008, FreeBSD Security Advisories wrote: > > > IV. Workaround > > > > Disable support for IPv6 in the sshd(8) daemon by setting the option > > "AddressFamily inet" in /etc/ssh/sshd_config. > > > > Disable support for X11 forwarding in the sshd(8) daemon by setting > > the option "X11Forwarding no" in /etc/ssh/sshd_config. > > It's not quite clear from this whether both workarounds are required, or > just either one, until upgrading? > my understanding is that either workaround will prevent the problem, since the problem relies on x11 forwarding and ipv6 being both enabled. From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 11:39:46 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F1640106566C for ; Thu, 17 Apr 2008 11:39:46 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id 9B15D8FC18 for ; Thu, 17 Apr 2008 11:39:44 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id VAA07369; Thu, 17 Apr 2008 21:39:37 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 17 Apr 2008 21:39:36 +1000 (EST) From: Ian Smith To: Peter Pentchev In-Reply-To: <20080417084544.GA2461@straylight.m.ringlet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2008 11:39:47 -0000 On Thu, 17 Apr 2008, Peter Pentchev wrote: > On Thu, Apr 17, 2008 at 04:07:56PM +1000, Ian Smith wrote: > > On Thu, 17 Apr 2008, FreeBSD Security Advisories wrote: > > > > > IV. Workaround > > > > > > Disable support for IPv6 in the sshd(8) daemon by setting the option > > > "AddressFamily inet" in /etc/ssh/sshd_config. > > > > > > Disable support for X11 forwarding in the sshd(8) daemon by setting > > > the option "X11Forwarding no" in /etc/ssh/sshd_config. > > > > It's not quite clear from this whether both workarounds are required, or > > just either one, until upgrading? > > Either one, depending on what you want - if your users *need* and use > X11 forwarding, then you wouldn't want to use "X11Forwarding no" :) > > Basically: > - if you DO NOT use X11 forwarding, just disable it with "X11Forwarding no" > - if you use X11 forwarding *and* you DO NOT use IPv6, use the > "AddressFamily inet" line > - if you use X11 forwarding *and* you use IPv6, then you must upgrade. Thanks for the confirmation Peter, also Jille and mouss. cheers, Ian From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 12:27:56 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E81821065671 for ; Thu, 17 Apr 2008 12:27:56 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 5AA948FC3F for ; Thu, 17 Apr 2008 12:27:56 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from lack-of-gravitas.thebunker.net (gateway.ash.thebunker.net [213.129.64.4]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id m3HCRgUm013816 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 17 Apr 2008 13:27:47 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.5.2 smtp.infracaninophile.co.uk m3HCRgUm013816 Message-ID: <4807423D.1090206@infracaninophile.co.uk> Date: Thu, 17 Apr 2008 13:27:41 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.12 (X11/20080410) MIME-Version: 1.0 To: Ian Smith References: In-Reply-To: X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (smtp.infracaninophile.co.uk [81.187.76.162]); Thu, 17 Apr 2008 13:27:48 +0100 (BST) X-Virus-Scanned: ClamAV 0.92.1/6810/Thu Apr 17 12:25:25 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,SPF_FAIL autolearn=no version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2008 12:27:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Ian Smith wrote: > On Thu, 17 Apr 2008, Peter Pentchev wrote: > > On Thu, Apr 17, 2008 at 04:07:56PM +1000, Ian Smith wrote: > > > On Thu, 17 Apr 2008, FreeBSD Security Advisories wrote: > > > > > > > IV. Workaround > > > > > > > > Disable support for IPv6 in the sshd(8) daemon by setting the option > > > > "AddressFamily inet" in /etc/ssh/sshd_config. > > > > > > > > Disable support for X11 forwarding in the sshd(8) daemon by setting > > > > the option "X11Forwarding no" in /etc/ssh/sshd_config. > > > > > > It's not quite clear from this whether both workarounds are required, or > > > just either one, until upgrading? > > > > Either one, depending on what you want - if your users *need* and use > > X11 forwarding, then you wouldn't want to use "X11Forwarding no" :) > > > > Basically: > > - if you DO NOT use X11 forwarding, just disable it with "X11Forwarding no" > > - if you use X11 forwarding *and* you DO NOT use IPv6, use the > > "AddressFamily inet" line > > - if you use X11 forwarding *and* you use IPv6, then you must upgrade. > > Thanks for the confirmation Peter, also Jille and mouss. Hmmm... something that wasn't immediately clear to me reading the advisory: the requirement for an attacker to listen(2) on tcp port 6010 means that they have to have a login on the box being attacked. ie. it's a *local* information leak rather than a network attack. It took me some time and a few gentle thwaps with the clue stick by colleagues better versed in the sockets API than me before I understood that. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREDAAYFAkgHQj0ACgkQ3jDkPpsZ+VYShwCZAR5SfHeq64lznU54XpqQq190 /GAAnirda/Nn0LUrZV9qGTEZ/4uq6oYB =nquC -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 18:35:04 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 27C6D106566C for ; Thu, 17 Apr 2008 18:35:04 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.freebsd.org (Postfix) with ESMTP id 1B9948FC31 for ; Thu, 17 Apr 2008 18:35:04 +0000 (UTC) (envelope-from marquis@roble.com) Date: Thu, 17 Apr 2008 11:15:04 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20080417120024.AFEF810656FB@hub.freebsd.org> References: <20080417120024.AFEF810656FB@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Message-Id: <20080417181504.20C902B4039@mx5.roble.com> Subject: openssldoesn't -overwrite-base again (was: FreeBSD-SA-08:05.openssh) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2008 18:35:04 -0000 I'd like to thank the openssh-portable port maintainer/s for preserving the -overwrite-base option. This eases our systems and security update jobs measurably. Unfortunately, openSSL has dropped the -overwrite-base option (again), leaving us with two versions of openssl and some confusion over A) which version of openssl a new port or upgrade (i.e., openssh) will use, and B) how to update systems with openssl-overwrite-base installed. Is there a best practice/recommendation for updating openssl-overwrite-base without having to maintain multiple versions? Roger Marquis Roble Systems Consulting From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 20:08:49 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E5D3106566B for ; Thu, 17 Apr 2008 20:08:49 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 2E85C8FC17 for ; Thu, 17 Apr 2008 20:08:49 +0000 (UTC) (envelope-from des@des.no) Received: from ds4.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id 25C352089; Thu, 17 Apr 2008 21:52:13 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Matthew Seaman References: <4807423D.1090206@infracaninophile.co.uk> Date: Thu, 17 Apr 2008 21:52:12 +0200 In-Reply-To: <4807423D.1090206@infracaninophile.co.uk> (Matthew Seaman's message of "Thu\, 17 Apr 2008 13\:27\:41 +0100") Message-ID: <86d4oow977.fsf@ds4.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/23.0.60 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Ian Smith Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2008 20:08:49 -0000 Matthew Seaman writes: > Hmmm... something that wasn't immediately clear to me reading the > advisory: the requirement for an attacker to listen(2) on tcp port > 6010 means that they have to have a login on the box being attacked. > ie. it's a *local* information leak rather than a network attack. It > took me some time and a few gentle thwaps with the clue stick by > colleagues better versed in the sockets API than me before I > understood that. Yes, it's an interesting vulnerability. The attacker needs to be able to execute code that listens to localhost:60XX on the server, but the attack is directed at the client, not the server. You could say that the workaround (on the server) is a mere courtesy to the client on the part of the server - although of course the attacker could use this to sniff the server's root password or hijack a root shell, so it's not quite so clear-cut. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 20:09:40 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B970C106567A for ; Thu, 17 Apr 2008 20:09:40 +0000 (UTC) (envelope-from fbsdlists@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.231]) by mx1.freebsd.org (Postfix) with ESMTP id 6FE7C8FC19 for ; Thu, 17 Apr 2008 20:09:40 +0000 (UTC) (envelope-from fbsdlists@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so238469wxd.7 for ; Thu, 17 Apr 2008 13:09:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=Gc7red1L6gs2Jt6ZcEtxvn63GvqVZqxfQ1XOEDPuUoI=; b=jKl84aOE9SsN7aq8WvNtWGsj6yepQE+VI6f6Z+4/P0NACRx0md+wMUKH5WhpiGu+xEetPC7z+7hO5RteoRasQRX/7mFSzU161bxQWzqum1NbPCI3OtbhfhuoVWznPFyl9zkEGhlILJUgRNJ5piCGjtaD7SxEjFiYx99pDtocNlI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Ke2pQDd9Sc5yyQZUMPa8IKYYJng3c1gK/YxQt1pSHvl4XjIK9GavcrqNbH7TaAfwqo8EL9dnmL1/HHp51Dg8imGkrxw2Tuf8lHr0FuSz5iBs8EeAU8l7qGMhgRNyynpgPIxvfBpTbhKGRYMuErSFA986/a20HejGEhG4CRinqiM= Received: by 10.141.203.7 with SMTP id f7mr1078919rvq.7.1208461357680; Thu, 17 Apr 2008 12:42:37 -0700 (PDT) Received: by 10.141.114.5 with HTTP; Thu, 17 Apr 2008 12:42:37 -0700 (PDT) Message-ID: <54db43990804171242r4e8048c7hc8caa377a7ddc13f@mail.gmail.com> Date: Thu, 17 Apr 2008 15:42:37 -0400 From: "Bob Johnson" To: freebsd-security@freebsd.org In-Reply-To: <200804170014.m3H0Et26028285@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200804170014.m3H0Et26028285@freefall.freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2008 20:09:40 -0000 Minor typo: In the list of corrected versions, shouldn't "RELENG_7_0, 7.1-RELEASE-p1" say "RELENG_7_0, 7.0-RELEASE-p1", i.e. it says 7.1 rather than 7.0? - Bob On 4/16/08, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-08:05.openssh Security > Advisory > The FreeBSD > Project > > Topic: OpenSSH X11-forwarding privilege escalation > > Category: contrib > Module: openssh > Announced: 2008-04-17 > Credits: Timo Juhani Lindfors > Affects: All supported versions of FreeBSD > Corrected: 2008-04-16 23:58:33 UTC (RELENG_7, 7.0-STABLE) > 2008-04-16 23:58:52 UTC (RELENG_7_0, 7.1-RELEASE-p1) > 2008-04-16 23:59:35 UTC (RELENG_6, 6.3-STABLE) > 2008-04-16 23:59:48 UTC (RELENG_6_3, 6.3-RELEASE-p2) > 2008-04-17 00:00:04 UTC (RELENG_6_2, 6.2-RELEASE-p12) > 2008-04-17 00:00:28 UTC (RELENG_6_1, 6.1-RELEASE-p24) > 2008-04-17 00:00:41 UTC (RELENG_5, 5.5-STABLE) > 2008-04-17 00:00:54 UTC (RELENG_5_5, 5.5-RELEASE-p20) > CVE Name: CVE-2008-1483 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > OpenSSH is an implementation of the SSH protocol suite, providing an > encrypted and authenticated transport for a variety of services, > including remote shell access. The OpenSSH server daemon (sshd) > provides support for the X11 protocol by binding to a port on the > server and forwarding any connections which are made to that port. > > II. Problem Description > > When logging in via SSH with X11-forwarding enabled, sshd(8) fails to > correctly handle the case where it fails to bind to an IPv4 port but > successfully binds to an IPv6 port. In this case, applications which > use X11 will connect to the IPv4 port, even though it had not been > bound by sshd(8) and is therefore not being securely forwarded. > > III. Impact > > A malicious user could listen for X11 connections on a unused IPv4 > port, e.g tcp port 6010. When an unaware user logs in and sets up X11 > fowarding the malicious user can capture all X11 data send over the > port, potentially disclosing sensitive information or allowing the > execution of commands with the privileges of the user using the > X11 forwarding. > > NOTE WELL: FreeBSD ships with IPv6 enabled by default in the GENERIC > and SMP kernels, so users are vulnerable even they have not explicitly > enabled IPv6 networking. > > IV. Workaround > > Disable support for IPv6 in the sshd(8) daemon by setting the option > "AddressFamily inet" in /etc/ssh/sshd_config. > > Disable support for X11 forwarding in the sshd(8) daemon by setting > the option "X11Forwarding no" in /etc/ssh/sshd_config. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 5-STABLE, 6-STABLE, or 7-STABLE, > or to the RELENG_7_0, RELENG_6_3, RELENG_6_2, RELENG_6_1, RELENG_5_5 > security branch dated after the correction date. > > 2) To patch your present system: > > The following patch has been verified to apply to FreeBSD 5.5, 6.1, > 6.2, 6.3, and 7.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-08:05/openssh.patch > # fetch http://security.FreeBSD.org/patches/SA-08:05/openssh.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/secure/lib/libssh > # make obj && make depend && make && make install > # cd /usr/src/secure/usr.sbin/sshd > # make obj && make depend && make && make install > # /etc/rc.d/sshd restart > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_5 > src/crypto/openssh/channels.c 1.18.2.1 > RELENG_5_5 > src/UPDATING 1.342.2.35.2.21 > src/sys/conf/newvers.sh 1.62.2.21.2.22 > src/crypto/openssh/channels.c 1.18.8.1 > RELENG_6 > src/crypto/openssh/channels.c 1.20.2.3 > RELENG_6_3 > src/UPDATING 1.416.2.37.2.6 > src/sys/conf/newvers.sh 1.69.2.15.2.5 > src/crypto/openssh/channels.c 1.20.2.2.4.1 > RELENG_6_2 > src/UPDATING 1.416.2.29.2.16 > src/sys/conf/newvers.sh 1.69.2.13.2.15 > src/crypto/openssh/channels.c 1.20.2.2.2.1 > RELENG_6_1 > src/UPDATING 1.416.2.22.2.27 > src/sys/conf/newvers.sh 1.69.2.11.2.26 > src/crypto/openssh/channels.c 1.20.2.1.4.1 > RELENG_7 > src/crypto/openssh/channels.c 1.23.2.1 > RELENG_7_0 > src/UPDATING 1.507.2.3.2.5 > src/sys/conf/newvers.sh 1.72.2.5.2.5 > src/crypto/openssh/channels.c 1.23.4.1 > - ------------------------------------------------------------------------- > > VII. References > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483 > http://www.openssh.com/txt/release-5.0 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-08:05.openssh.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (FreeBSD) > > iD8DBQFIBpWTFdaIBMps37IRAomdAJ9hKgp/MG2PbVVojAMjCTtcY6T5HgCeNDxa > iA55tmcA3GXbsXAd/flJZO4= > =joYI > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to > "freebsd-security-notifications-unsubscribe@freebsd.org" >