From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 20:09:40 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B970C106567A for ; Thu, 17 Apr 2008 20:09:40 +0000 (UTC) (envelope-from fbsdlists@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.231]) by mx1.freebsd.org (Postfix) with ESMTP id 6FE7C8FC19 for ; Thu, 17 Apr 2008 20:09:40 +0000 (UTC) (envelope-from fbsdlists@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so238469wxd.7 for ; Thu, 17 Apr 2008 13:09:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=Gc7red1L6gs2Jt6ZcEtxvn63GvqVZqxfQ1XOEDPuUoI=; b=jKl84aOE9SsN7aq8WvNtWGsj6yepQE+VI6f6Z+4/P0NACRx0md+wMUKH5WhpiGu+xEetPC7z+7hO5RteoRasQRX/7mFSzU161bxQWzqum1NbPCI3OtbhfhuoVWznPFyl9zkEGhlILJUgRNJ5piCGjtaD7SxEjFiYx99pDtocNlI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Ke2pQDd9Sc5yyQZUMPa8IKYYJng3c1gK/YxQt1pSHvl4XjIK9GavcrqNbH7TaAfwqo8EL9dnmL1/HHp51Dg8imGkrxw2Tuf8lHr0FuSz5iBs8EeAU8l7qGMhgRNyynpgPIxvfBpTbhKGRYMuErSFA986/a20HejGEhG4CRinqiM= Received: by 10.141.203.7 with SMTP id f7mr1078919rvq.7.1208461357680; Thu, 17 Apr 2008 12:42:37 -0700 (PDT) Received: by 10.141.114.5 with HTTP; Thu, 17 Apr 2008 12:42:37 -0700 (PDT) Message-ID: <54db43990804171242r4e8048c7hc8caa377a7ddc13f@mail.gmail.com> Date: Thu, 17 Apr 2008 15:42:37 -0400 From: "Bob Johnson" To: freebsd-security@freebsd.org In-Reply-To: <200804170014.m3H0Et26028285@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200804170014.m3H0Et26028285@freefall.freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2008 20:09:40 -0000 Minor typo: In the list of corrected versions, shouldn't "RELENG_7_0, 7.1-RELEASE-p1" say "RELENG_7_0, 7.0-RELEASE-p1", i.e. it says 7.1 rather than 7.0? - Bob On 4/16/08, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-08:05.openssh Security > Advisory > The FreeBSD > Project > > Topic: OpenSSH X11-forwarding privilege escalation > > Category: contrib > Module: openssh > Announced: 2008-04-17 > Credits: Timo Juhani Lindfors > Affects: All supported versions of FreeBSD > Corrected: 2008-04-16 23:58:33 UTC (RELENG_7, 7.0-STABLE) > 2008-04-16 23:58:52 UTC (RELENG_7_0, 7.1-RELEASE-p1) > 2008-04-16 23:59:35 UTC (RELENG_6, 6.3-STABLE) > 2008-04-16 23:59:48 UTC (RELENG_6_3, 6.3-RELEASE-p2) > 2008-04-17 00:00:04 UTC (RELENG_6_2, 6.2-RELEASE-p12) > 2008-04-17 00:00:28 UTC (RELENG_6_1, 6.1-RELEASE-p24) > 2008-04-17 00:00:41 UTC (RELENG_5, 5.5-STABLE) > 2008-04-17 00:00:54 UTC (RELENG_5_5, 5.5-RELEASE-p20) > CVE Name: CVE-2008-1483 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > OpenSSH is an implementation of the SSH protocol suite, providing an > encrypted and authenticated transport for a variety of services, > including remote shell access. The OpenSSH server daemon (sshd) > provides support for the X11 protocol by binding to a port on the > server and forwarding any connections which are made to that port. > > II. Problem Description > > When logging in via SSH with X11-forwarding enabled, sshd(8) fails to > correctly handle the case where it fails to bind to an IPv4 port but > successfully binds to an IPv6 port. In this case, applications which > use X11 will connect to the IPv4 port, even though it had not been > bound by sshd(8) and is therefore not being securely forwarded. > > III. Impact > > A malicious user could listen for X11 connections on a unused IPv4 > port, e.g tcp port 6010. When an unaware user logs in and sets up X11 > fowarding the malicious user can capture all X11 data send over the > port, potentially disclosing sensitive information or allowing the > execution of commands with the privileges of the user using the > X11 forwarding. > > NOTE WELL: FreeBSD ships with IPv6 enabled by default in the GENERIC > and SMP kernels, so users are vulnerable even they have not explicitly > enabled IPv6 networking. > > IV. Workaround > > Disable support for IPv6 in the sshd(8) daemon by setting the option > "AddressFamily inet" in /etc/ssh/sshd_config. > > Disable support for X11 forwarding in the sshd(8) daemon by setting > the option "X11Forwarding no" in /etc/ssh/sshd_config. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 5-STABLE, 6-STABLE, or 7-STABLE, > or to the RELENG_7_0, RELENG_6_3, RELENG_6_2, RELENG_6_1, RELENG_5_5 > security branch dated after the correction date. > > 2) To patch your present system: > > The following patch has been verified to apply to FreeBSD 5.5, 6.1, > 6.2, 6.3, and 7.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-08:05/openssh.patch > # fetch http://security.FreeBSD.org/patches/SA-08:05/openssh.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/secure/lib/libssh > # make obj && make depend && make && make install > # cd /usr/src/secure/usr.sbin/sshd > # make obj && make depend && make && make install > # /etc/rc.d/sshd restart > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_5 > src/crypto/openssh/channels.c 1.18.2.1 > RELENG_5_5 > src/UPDATING 1.342.2.35.2.21 > src/sys/conf/newvers.sh 1.62.2.21.2.22 > src/crypto/openssh/channels.c 1.18.8.1 > RELENG_6 > src/crypto/openssh/channels.c 1.20.2.3 > RELENG_6_3 > src/UPDATING 1.416.2.37.2.6 > src/sys/conf/newvers.sh 1.69.2.15.2.5 > src/crypto/openssh/channels.c 1.20.2.2.4.1 > RELENG_6_2 > src/UPDATING 1.416.2.29.2.16 > src/sys/conf/newvers.sh 1.69.2.13.2.15 > src/crypto/openssh/channels.c 1.20.2.2.2.1 > RELENG_6_1 > src/UPDATING 1.416.2.22.2.27 > src/sys/conf/newvers.sh 1.69.2.11.2.26 > src/crypto/openssh/channels.c 1.20.2.1.4.1 > RELENG_7 > src/crypto/openssh/channels.c 1.23.2.1 > RELENG_7_0 > src/UPDATING 1.507.2.3.2.5 > src/sys/conf/newvers.sh 1.72.2.5.2.5 > src/crypto/openssh/channels.c 1.23.4.1 > - ------------------------------------------------------------------------- > > VII. References > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483 > http://www.openssh.com/txt/release-5.0 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-08:05.openssh.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (FreeBSD) > > iD8DBQFIBpWTFdaIBMps37IRAomdAJ9hKgp/MG2PbVVojAMjCTtcY6T5HgCeNDxa > iA55tmcA3GXbsXAd/flJZO4= > =joYI > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to > "freebsd-security-notifications-unsubscribe@freebsd.org" >