From owner-freebsd-security@FreeBSD.ORG Tue Nov 19 11:59:25 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 50D8737E for ; Tue, 19 Nov 2013 11:59:25 +0000 (UTC) Received: from fate.ctgameinfo.com (ns1.ctgameinfo.com [184.172.20.152]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2B3F12ACF for ; Tue, 19 Nov 2013 11:59:24 +0000 (UTC) Received: from [192.168.2.10] (S0106687f749dc87e.vs.shawcable.net [184.65.77.230]) by fate.ctgameinfo.com (Postfix) with ESMTPA id 5EC9745091 for ; Tue, 19 Nov 2013 03:52:55 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.97.8 at spamass Message-ID: <528B5118.2010605@ctgameinfo.com> Date: Tue, 19 Nov 2013 03:52:56 -0800 From: Cstdenis User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-13:14.openssh References: <20131119102130.90E5C1A3B@nine.des.no> In-Reply-To: <20131119102130.90E5C1A3B@nine.des.no> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 19 Nov 2013 12:43:13 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Nov 2013 11:59:25 -0000 I think the file in workaround should actually be /etc/ssh/sshd_config unless I am mistaken. On 11/19/2013 2:21 AM, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-13:14.openssh Security Advisory > The FreeBSD Project > > Topic: OpenSSH AES-GCM memory corruption vulnerability > > Category: contrib > Module: openssh > Announced: 2013-11-19 > Affects: FreeBSD 10.0-BETA > Corrected: 2013-11-19 09:35:20 UTC (stable/10, 10.0-STABLE) > 2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA3-p1) > 2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA2-p1) > 2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA1-p2) > CVE Name: CVE-2013-4548 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > OpenSSH is an implementation of the SSH protocol suite, providing an > encrypted and authenticated transport for a variety of services, > including remote shell access. > > AES-GCM (Galois/Counter Mode) is a mode of operation for AES block > cipher that combines the counter mode of encryption with the Galois > mode of authentication which can offer throughput rates for state of > the art, high speed communication channels. > > OpenSSH supports the AES-GCM algorithm as specified in RFC 5647. > > II. Problem Description > > A memory corruption vulnerability exists in the post-authentication sshd > process when an AES-GCM cipher (aes128-gcm@openssh.com or > aes256-gcm@openssh.com) is selected during key exchange. > > III. Impact > > If exploited, this vulnerability might permit code execution with the > privileges of the authenticated user, thereby allowing a malicious > user with valid credentials to bypass shell or command restrictions > placed on their account. > > IV. Workaround > > Disable AES-GCM in the server configuration. This can be accomplished by > adding the following /etc/sshd_config option, which will disable AES-GCM > while leaving other ciphers active: > > Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc > > Systems not running the OpenSSH server daemon (sshd) are not affected. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-13:14/openssh.patch > # fetch http://security.FreeBSD.org/patches/SA-13:14/openssh.patch.asc > # gpg --verify openssh.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > Recompile the operating system using buildworld and installworld as > described in . > > Restart the sshd daemon, or reboot the system. > > 3) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > - ------------------------------------------------------------------------- > stable/10/ r258335 > - ------------------------------------------------------------------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > > > VII. References > > > > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.15 (FreeBSD) > > iQIcBAEBAgAGBQJSizUhAAoJEO1n7NZdz2rn6VcQALriII/5f2ipZQeOt41p5oBi > r3qQ3uoZc705MGhld/Zz/RjmB8N+NSZUCZQP0sjaEUkksykZNQhmlbvJXB0ywDHP > ggIpq++7r2igXMwqqj+7SEtOkQc/rP8/pDjAn0CJKDGIItgpYuqB34sEJNNuYjiM > f/bdfXN3zU4VOiIjCjfGuOamGPXCyRdEAm9HKMVWuDqXIjBHdOxhkw2TnyrC77Vd > IxOEYsD97XYuJF++55uHBMv+jynrlQfJF9s3+rQVGOqs14KXYJ+HeqFwxJkhIzyg > BrxotPNcO6i5lFOiZrCcmEkf3SRh3Ok3CFFFdn9EhOTxrfGKRm/7R+WB0NKT4+ll > sAWfhCCMHkhE/j/0L/DCGL8wD6zH1bzpFWn6efAlih4N5YXSJfGlZdkPw0zl/ZgD > umYiwpr9PMnPtocfpV51HITNf0T+CUUHJ5bI3Do9cKZyr3yt869r2MNH6PLT0Lyl > 4YTcN6IC1K+2JXxvjry7wuJWaPUDS/Hl7Rb3vivdyFJsOF6cddCq1uoU/COXjEE7 > KF2+KXNKyCZvfPYxzaljvQjEEGZFswN21YrG4dk3JbaOEo0/+s06DJe/YDhagRgQ > h1DtzesRuV8Mlxf0kCX5dmMEjIYX0ZtsZT7aueoSD0zGDFpiOjMQ2DQ3O9S3UhFz > ScAFXjtFwMqy8RkwNzIp > =Nkc2 > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"