diff options
Diffstat (limited to 'website/static/security/advisories/FreeBSD-SA-23:19.openssh.asc')
| -rw-r--r-- | website/static/security/advisories/FreeBSD-SA-23:19.openssh.asc | 152 |
1 files changed, 152 insertions, 0 deletions
diff --git a/website/static/security/advisories/FreeBSD-SA-23:19.openssh.asc b/website/static/security/advisories/FreeBSD-SA-23:19.openssh.asc new file mode 100644 index 0000000000..0e66dbadd5 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-23:19.openssh.asc @@ -0,0 +1,152 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-23:19.openssh Security Advisory + The FreeBSD Project + +Topic: Prefix Truncation Attack in the SSH protocol + +Category: contrib +Module: openssh +Announced: 2023-12-19 +Credits: Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk +Affects: All supported versions of FreeBSD. +Corrected: 2023-12-18 16:54:31 UTC (stable/14, 14.0-STABLE) + 2023-12-19 20:19:48 UTC (releng/14.0, 14.0-RELEASE-p4) + 2023-12-18 17:10:15 UTC (stable/13, 13.2-STABLE) + 2023-12-19 20:19:57 UTC (releng/13.2, 13.2-RELEASE-p9) +CVE Name: CVE-2023-48795 + +Note: While this issue does affect 12.4-STABLE and 12.4-RELEASE, the version +of OpenSSH in 12.4 is old enough the vendor provided patch does not cleanly +apply. As 12.4 goes out of support at the end of December and in order to +quickly get fixes out for 14.0 and 13.2, the FreeBSD Security Team is issuing +this advisory now while feasibility of a 12.4 backport is investigated. Users +with 12.4 are encouraged to either implement the documented workaround or +leverage an up to date version of OpenSSH from the ports/pkg collection. + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +0. Revision History + +v1.0 2023-12-19 -- Initial release +v1.1 2023-12-20 -- Corrected work around paths + +I. Background + +OpenSSH is an implementation of the SSH protocol suite, providing an +encrypted and authenticated transport for a variety of services, including +remote shell access. + +II. Problem Description + +The SSH protocol executes an initial handshake between the server and the +client. This protocol handshake includes the possibility of several +extensions allowing different options to be selected. Validation of the +packets in the handshake is done through sequence numbers. + +III. Impact + +A man in the middle attacker can silently manipulate handshake messages to +truncate extension negotiation messages potentially leading to less secure +client authentication algorithms or deactivating keystroke timing attack +countermeasures. + +IV. Workaround + +Add the following lines to /etc/ssh/ssh_config and /etc/ssh/sshd_config: + Ciphers -chacha20-poly1305@openssh.com + MACs -*etm@openssh.com + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platfrom on FreeBSD 13 and earlier, can be updated via +the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-23:19/openssh.patch +# fetch https://security.FreeBSD.org/patches/SA-23:19/openssh.patch.asc +# gpg --verify openssh.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 673d1ead65c9 stable/14-n266020 +releng/14.0/ b9856d61e99d releng/14.0-n265399 +stable/13/ 3bafcb9744c9 stable/13-n256910 +releng/13.2/ 69bd68ba30c0 releng/13.2-n254651 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://terrapin-attack.com/> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:19.openssh.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmWCZcoACgkQbljekB8A +Gu8fKA/9EzmQuXALYWjHoXAsizzgP1jw3sjN2sNqlggiAkTiN6pEQs8VlIroeTUn +2hfktGHX9RQ85czE2VDHgP/HMA0cm84CIuF0g+m4cxzO8v1m+5bKd44jEJLjwO/P +/LOmL3PYAfp6S1nHhgprq8Hw1GEKrlySLs+MYj3FwfdcqdTMuvrFsUDef7KQ7MVy +lvj5oJQZitPQ4EGhGiHVobl6vWdU/xuroHlNtdEqExbOqOyVDH7daSfu7ipd20Y+ +2plRLjkscwlneLjdDe420cebYWxnvUamD09ppTiANaknjlCTf2Tclb6Wf8nAtxaA +VsJosQSpI730fpxDn7S9ARHYOymwUf1ptQQd5q8Zj415+eVjJ7XGd96z6hx3B3Yt +zJv7mwC22Cp9wqBMvAG9/z7kxZ5buhC25VR795SxnN/uwNqnH/OHxBV4oTEmf5Lk +ytLqIekrPJqTiGgSGPkylXtfFaV0YJnkXGWeAduaoWEKwO8zaFEkMXypc7L5J9XT +rSKMpPL2+vczKyQ534uzjGFLY5o0pI9EhQtDtxHkJ6olN3xfuBT/GkBkxe3JFxmE +2pHvMplErDpprieNhICVey/polRzk7JIA+M1x7o2IZZVnlc1vsPIeXnOOMzY4+7z +qeymU3QQf2pmIZpVL3dp26bnTB0oCRaJwEb5nuMfutIzTz4t1TY= +=hvau +-----END PGP SIGNATURE----- |