From owner-svn-doc-all@freebsd.org Wed Jan 11 06:07:44 2017 Return-Path: Delivered-To: svn-doc-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 53732CAA05D; Wed, 11 Jan 2017 06:07:44 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 21A32111B; Wed, 11 Jan 2017 06:07:44 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v0B67h2f003350; Wed, 11 Jan 2017 06:07:43 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v0B67gI2003346; Wed, 11 Jan 2017 06:07:42 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201701110607.v0B67gI2003346@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Wed, 11 Jan 2017 06:07:42 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r49830 - in head/share: security/advisories security/patches/SA-17:01 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2017 06:07:44 -0000 Author: delphij Date: Wed Jan 11 06:07:42 2017 New Revision: 49830 URL: https://svnweb.freebsd.org/changeset/doc/49830 Log: Add SA-17:01. Added: head/share/security/advisories/FreeBSD-SA-17:01.openssh.asc (contents, props changed) head/share/security/patches/SA-17:01/ head/share/security/patches/SA-17:01/openssh.patch (contents, props changed) head/share/security/patches/SA-17:01/openssh.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-17:01.openssh.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-17:01.openssh.asc Wed Jan 11 06:07:42 2017 (r49830) @@ -0,0 +1,158 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-17:01.openssh Security Advisory + The FreeBSD Project + +Topic: OpenSSH multiple vulnerabilities + +Category: contrib +Module: OpenSSH +Announced: 2017-01-11 +Affects: All supported versions of FreeBSD. +Corrected: 2017-01-11 05:56:40 UTC (stable/11, 11.0-STABLE) + 2017-01-11 06:01:23 UTC (releng/11.0, 11.0-RELEASE-p7) + 2017-01-11 05:56:40 UTC (stable/10, 10.3-STABLE) + 2017-01-11 06:01:23 UTC (releng/10.3, 10.3-RELEASE-p16) +CVE Name: CVE-2016-10009, CVE-2016-10010 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +OpenSSH is an implementation of the SSH protocol suite, providing an +encrypted and authenticated transport for a variety of services, +including remote shell access. + +OpenSSH supports accessing keys provided by a PKCS#11 token. + +II. Problem Description + +The ssh-agent(1) agent supports loading a PKCS#11 module from outside a +trusted whitelist. An attacker can request loading of a PKCS#11 module +across forwarded agent-socket. [CVE-2016-10009] + +When privilege separation is disabled, forwarded Unix domain sockets +would be created by sshd(8) with the privileges of 'root' instead of +the authenticated user. [CVE-2016-10010] + +III. Impact + +A remote attacker who have control of a forwarded agent-socket on a +remote system and have the ability to write files on the system +running ssh-agent(1) agent can run arbitrary code under the same user +credential. Because the attacker must already have some control on +both systems, it is relatively hard to exploit this vulnerability in +a practical attack. [CVE-2016-10009] + +When privilege separation is disabled (on FreeBSD, privilege separation +is enabled by default and has to be explicitly disabled), an authenticated +attacker can potentially gain root privileges on systems running OpenSSH +server. [CVE-2016-10010] + +IV. Workaround + +Systems not running ssh-agent(1) and sshd(8) services are not affected. + +System administrators may remove ssh-agent(1) to mitigate CVE-2016-10009. + +System administrators should enable privilege separation when running +OpenSSH server, which is the FreeBSD default, to mitigate CVE-2016-10010. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Kill all running ssh-agent(1) process and restart sshd(8) service. +A reboot is recommended but not required. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Kill all running ssh-agent(1) process and restart sshd(8) service. +A reboot is recommended but not required. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch +# fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch.asc +# gpg --verify openssh.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Kill all running ssh-agent(1) process and restart sshd(8) service. +A reboot is recommended but not required. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r311915 +releng/10.3/ r311916 +stable/11/ r311915 +releng/11.0/ r311916 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.16 (FreeBSD) + +iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlh1yuAACgkQ7Wfs1l3P +auebFA//TGtwrub7JNTgKdc5qnpw+s8W1j0AnQ4wTaJ6v7zNyUB0DG+LHW4uXCwR +xc9Etd2mhY26wJIUxx0Z3oArcqVBGpCGbozuIOU6AdgmHdOL3ddj8aq4SuC0PyMA +0OvNgZIRPZxEm81MP+6/GES4JLmOumiNeAG/MrtITGJDP/K5vVPIst/+F7OJ4P2+ +OGrjqBWmAz2EMG62QUJI8oSwB+FJpXtWHKOC4fPGibAQe3vF1WequbcDkLsYl1pX +Ktlk/qh9ivaQreM9rHkUDF0PYwFdsXzveze/TLNbEo+w43v/PAlyR+xw2+22VjGK +fxTL8Gk2tMQfahGZwFmmQFPLcwNRcdjgnZcRRHA3z8vKgM831A53gV3KskUwZl4V +DyKdXtl44zrZ7PtPJ1gJkPK6B8zzfjnSwzPC51pDjh30ps28Rgfc6JOyjxhX5BJ4 +sXvQ3meiEfVgVq3DpTqQ3mZVQ1pRF+yhPf1Ptts9fQzAD95JsFF0WT0nzbYoB2VY +KrU4V7d/Ys+HIeQWgDwZlFuLOULlVZDW/H55PT5Tx9JvP5vRlZS/w2HHN7wwy8n5 +tNX9mcH8DuG7X/jWDR9ompbJp5uZqcKWVMHPQY7fnaLSJoQMqrpPgZ9tsw6wq347 +Vslm3qQwUTSGRagH0rBuHiVJmY/AeqY3lvsaZklWGIYMRjmUeA0= +=3z/p +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-17:01/openssh.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-17:01/openssh.patch Wed Jan 11 06:07:42 2017 (r49830) @@ -0,0 +1,170 @@ +--- crypto/openssh/serverloop.c.orig ++++ crypto/openssh/serverloop.c +@@ -995,7 +995,7 @@ + + /* XXX fine grained permissions */ + if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && +- !no_port_forwarding_flag) { ++ !no_port_forwarding_flag && use_privsep) { + c = channel_connect_to_path(target, + "direct-streamlocal@openssh.com", "direct-streamlocal"); + } else { +@@ -1279,7 +1279,7 @@ + + /* check permissions */ + if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 +- || no_port_forwarding_flag) { ++ || no_port_forwarding_flag || !use_privsep) { + success = 0; + packet_send_debug("Server has disabled port forwarding."); + } else { +--- crypto/openssh/ssh-agent.1.orig ++++ crypto/openssh/ssh-agent.1 +@@ -48,6 +48,7 @@ + .Op Fl a Ar bind_address + .Op Fl E Ar fingerprint_hash + .Op Fl t Ar life ++.Op Fl P Ar pkcs11_whitelist + .Op Ar command Op Ar arg ... + .Nm ssh-agent + .Op Fl c | s +@@ -122,6 +123,18 @@ + Kill the current agent (given by the + .Ev SSH_AGENT_PID + environment variable). ++.It Fl P ++Specify a pattern-list of acceptable paths for PKCS#11 shared libraries ++that may be added using the ++.Fl s ++option to ++.Xr ssh-add 1 . ++The default is to allow loading PKCS#11 libraries from ++.Dq /usr/lib/*,/usr/local/lib/* . ++PKCS#11 libraries that do not match the whitelist will be refused. ++See PATTERNS in ++.Xr ssh_config 5 ++for a description of pattern-list syntax. + .It Fl s + Generate Bourne shell commands on + .Dv stdout . +--- crypto/openssh/ssh-agent.c.orig ++++ crypto/openssh/ssh-agent.c +@@ -84,11 +84,16 @@ + #include "misc.h" + #include "digest.h" + #include "ssherr.h" ++#include "match.h" + + #ifdef ENABLE_PKCS11 + #include "ssh-pkcs11.h" + #endif + ++#ifndef DEFAULT_PKCS11_WHITELIST ++# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*" ++#endif ++ + #if defined(HAVE_SYS_PRCTL_H) + #include /* For prctl() and PR_SET_DUMPABLE */ + #endif +@@ -140,6 +145,9 @@ + char socket_name[PATH_MAX]; + char socket_dir[PATH_MAX]; + ++/* PKCS#11 path whitelist */ ++static char *pkcs11_whitelist; ++ + /* locking */ + #define LOCK_SIZE 32 + #define LOCK_SALT_SIZE 16 +@@ -761,7 +769,7 @@ + static void + process_add_smartcard_key(SocketEntry *e) + { +- char *provider = NULL, *pin; ++ char *provider = NULL, *pin, canonical_provider[PATH_MAX]; + int r, i, version, count = 0, success = 0, confirm = 0; + u_int seconds; + time_t death = 0; +@@ -793,10 +801,21 @@ + goto send; + } + } ++ if (realpath(provider, canonical_provider) == NULL) { ++ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", ++ provider, strerror(errno)); ++ goto send; ++ } ++ if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) { ++ verbose("refusing PKCS#11 add of \"%.100s\": " ++ "provider not whitelisted", canonical_provider); ++ goto send; ++ } ++ debug("%s: add %.100s", __func__, canonical_provider); + if (lifetime && !death) + death = monotime() + lifetime; + +- count = pkcs11_add_provider(provider, pin, &keys); ++ count = pkcs11_add_provider(canonical_provider, pin, &keys); + for (i = 0; i < count; i++) { + k = keys[i]; + version = k->type == KEY_RSA1 ? 1 : 2; +@@ -804,8 +823,8 @@ + if (lookup_identity(k, version) == NULL) { + id = xcalloc(1, sizeof(Identity)); + id->key = k; +- id->provider = xstrdup(provider); +- id->comment = xstrdup(provider); /* XXX */ ++ id->provider = xstrdup(canonical_provider); ++ id->comment = xstrdup(canonical_provider); /* XXX */ + id->death = death; + id->confirm = confirm; + TAILQ_INSERT_TAIL(&tab->idlist, id, next); +@@ -1200,7 +1219,7 @@ + { + fprintf(stderr, + "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" +- " [-t life] [command [arg ...]]\n" ++ " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n" + " ssh-agent [-c | -s] -k\n"); + fprintf(stderr, " -x Exit when the last client disconnects.\n"); + exit(1); +@@ -1246,7 +1265,7 @@ + __progname = ssh_get_progname(av[0]); + seed_rng(); + +- while ((ch = getopt(ac, av, "cDdksE:a:t:x")) != -1) { ++ while ((ch = getopt(ac, av, "cDdksE:a:P:t:x")) != -1) { + switch (ch) { + case 'E': + fingerprint_hash = ssh_digest_alg_by_name(optarg); +@@ -1261,6 +1280,11 @@ + case 'k': + k_flag++; + break; ++ case 'P': ++ if (pkcs11_whitelist != NULL) ++ fatal("-P option already specified"); ++ pkcs11_whitelist = xstrdup(optarg); ++ break; + case 's': + if (c_flag) + usage(); +@@ -1298,6 +1322,9 @@ + if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag)) + usage(); + ++ if (pkcs11_whitelist == NULL) ++ pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST); ++ + if (ac == 0 && !c_flag && !s_flag) { + shell = getenv("SHELL"); + if (shell != NULL && (len = strlen(shell)) > 2 && +@@ -1445,7 +1472,7 @@ + signal(SIGTERM, cleanup_handler); + nalloc = 0; + +- if (pledge("stdio cpath unix id proc exec", NULL) == -1) ++ if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1) + fatal("%s: pledge: %s", __progname, strerror(errno)); + platform_pledge_agent(); + Added: head/share/security/patches/SA-17:01/openssh.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-17:01/openssh.patch.asc Wed Jan 11 06:07:42 2017 (r49830) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.16 (FreeBSD) + +iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlh1yvIACgkQ7Wfs1l3P +aueENxAA2X3idqTkyums/ZHD7VJm1XKo+Nyoa1iGHjxcBpipjKfzvx7fSzHdNWLu +wFVAr7XAqtpQF8EzkhzdrN/tGVOpc+qqQv4MwGPmG8SgOnRHIgbscOwIdeDixp40 +wMtLoP8QGxoYZlT7mPmkLqumtz+f22nO7BZCXOtY/f1e7weGBhoau1+s4ozHLpoA +10dCHTmofGoWjSBVK/m25GZQ+dE4NjvLxTpysYq+ehDSfwRSn8fhYjqc98gEwz2q +/FCtxT8wkrnRrCyIs7Wh4it76XhTZL/tXrTgtpZPBbyNkoNn40YJM9fs9EOZ2X+/ +N5f996ApeX6QHkALMjOwTpmPT9QfkJcqv3Q52ie9CaNQW2Eh/aHUWZywgUnoZcr1 +TfUm3uUTj9HQYS/IzdJHEuVZ/S4X2SEnVG/MtcVGWaKACL5ePRzo/wngV/IoM9x/ +yiW0MuzLRXEZPcO/oEcSLCsVzAv8FT4UBVEteIDyWKJAkLX0jAFMniiITAxxIMAa +SHHHQPms7udVbBTXdbRbaWuMQFxVfeahTT0os0zLxBsGteKzFF1L69RvNx0dh8oY +kJaFU93N5T1yoen2QEkoDqfYskIVsDzQpyNT9pS6pdZKXDwK2/y73XXmOD5jblp2 +5z3BNFdxoN647AAXr9+0TYm1Ax4TDoAmJlPOZroWPqJ0Bpoc4XI= +=avDp +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Tue Jan 10 23:08:09 2017 (r49829) +++ head/share/xml/advisories.xml Wed Jan 11 06:07:42 2017 (r49830) @@ -5,6 +5,22 @@ + 2017 + + + 1 + + + 11 + + + FreeBSD-SA-17:01.openssh + + + + + + 2016