Re: FreeBSD Security Advisory FreeBSD-SA-06:22.openssh

[Avleen Vig]

On Mon, Oct 02, 2006 at 02:25:05PM -0700, Colin Percival wrote:
 Theo de Raadt wrote:
  The OpenSSH project believe that the race condition can lead to a Denial
  of Service or potentially remote code execution
 ^
  Bullshit.  Where did anyone say this?
 
 The OpenSSH 4.4 release announcement says that, actually:
 
  * Fix an unsafe signal hander reported by Mark Dowd. The signal
handler was vulnerable to a race condition that could be exploited
to perform a pre-authentication denial of service. On portable
OpenSSH, this vulnerability could theoretically lead to
 ^^
pre-authentication remote code execution if GSSAPI authentication

is enabled, but the likelihood of successful exploitation appears
remote.

Theo: Maybe you should put people in charge who can read their own
release announcements before flaming a mailing list.
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-06:22.openssh

[Simon L. Nielsen]

On 2006.10.01 15:10:50 -0700, Mark Peek wrote:
 Topic:  Multiple vulnerabilities in OpenSSH

 BTW, the patches for this advisory appear to also need a patch to add log.c 
 into src/secure/usr.sbin/sshd/Makefile.

Eh, why?  log.c is built by libssh.

-- 
Simon L. Nielsen
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD Security Advisory FreeBSD-SA-06:22.openssh

[Colin Percival]

Theo de Raadt wrote:
 The OpenSSH project believe that the race condition can lead to a Denial
 of Service or potentially remote code execution
^
 Bullshit.  Where did anyone say this?

The OpenSSH 4.4 release announcement says that, actually:

 * Fix an unsafe signal hander reported by Mark Dowd. The signal
   handler was vulnerable to a race condition that could be exploited
   to perform a pre-authentication denial of service. On portable
   OpenSSH, this vulnerability could theoretically lead to
^^
   pre-authentication remote code execution if GSSAPI authentication
   
   is enabled, but the likelihood of successful exploitation appears
   remote.

Colin Percival
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to [EMAIL PROTECTED]

FreeBSD Security Advisory FreeBSD-SA-06:22.openssh

[FreeBSD Security Advisories]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

=
FreeBSD-SA-06:22.opensshSecurity Advisory
  The FreeBSD Project

Topic:  Multiple vulnerabilities in OpenSSH

Category:   contrib
Module: openssh
Announced:  2006-09-30
Credits:Tavis Ormandy, Mark Dowd
Affects:All FreeBSD releases.
Corrected:  2006-09-30 19:50:57 UTC (RELENG_6, 6.2-PRERELEASE)
2006-09-30 19:51:56 UTC (RELENG_6_1, 6.1-RELEASE-p10)
2006-09-30 19:53:21 UTC (RELENG_6_0, 6.0-RELEASE-p15)
2006-09-30 19:54:03 UTC (RELENG_5, 5.5-STABLE)
2006-09-30 19:54:58 UTC (RELENG_5_5, 5.5-RELEASE-p8)
2006-09-30 19:55:52 UTC (RELENG_5_4, 5.4-RELEASE-p22)
2006-09-30 19:56:38 UTC (RELENG_5_3, 5.3-RELEASE-p37)
2006-09-30 19:57:15 UTC (RELENG_4, 4.11-STABLE)
2006-09-30 19:58:07 UTC (RELENG_4_11, 4.11-RELEASE-p25)
CVE Name:   CVE-2006-4924, CVE-2006-5051

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit URL:http://security.FreeBSD.org/.

I.   Background

OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted, authenticated transport for a variety of services,
including remote shell access.

II.  Problem Description

The CRC compensation attack detector in the sshd(8) daemon, upon receipt
of duplicate blocks, uses CPU time cubic in the number of duplicate
blocks received.  [CVE-2006-4924]

A race condition exists in a signal handler used by the sshd(8) daemon
to handle the LoginGraceTime option, which can potentially cause some
cleanup routines to be executed multiple times.  [CVE-2006-5051]

III. Impact

An attacker sending specially crafted packets to sshd(8) can cause a
Denial of Service by using 100% of CPU time until a connection timeout
occurs.  Since this attack can be performed over multiple connections
simultaneously, it is possible to cause up to MaxStartups (10 by default)
sshd processes to use all the CPU time they can obtain.  [CVE-2006-4924]

The OpenSSH project believe that the race condition can lead to a Denial
of Service or potentially remote code execution, but the FreeBSD Security
Team has been unable to verify the exact impact.  [CVE-2006-5051]

IV.  Workaround

The attack against the CRC compensation attack detector can be avoided
by disabling SSH Protocol version 1 support in sshd_config(5).

There is no workaround for the second issue.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE,
or to the RELENG_6_1, RELENG_6_0, RELENG_5_5, RELENG_5_4, RELENG_5_3,
or RELENG_4_11 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.11, 5.3,
5.4, 5.5, 6.0, and 6.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.11]
# fetch http://security.FreeBSD.org/patches/SA-06:22/openssh4x.patch
# fetch http://security.FreeBSD.org/patches/SA-06:22/openssh4x.patch.asc

[FreeBSD 5.x]
# fetch http://security.FreeBSD.org/patches/SA-06:22/openssh5x.patch
# fetch http://security.FreeBSD.org/patches/SA-06:22/openssh5x.patch.asc

[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/SA-06:22/openssh6x.patch
# fetch http://security.FreeBSD.org/patches/SA-06:22/openssh6x.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch  /path/to/patch
# cd /usr/src/secure/lib/libssh
# make obj  make depend  make  make install
# cd /usr/src/secure/usr.sbin/sshd
# make obj  make depend  make  make install

c) Restart the SSH daemon.  On FreeBSD 5.x and 6.x, this can be done via

# /etc/rc.d/sshd restart

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch   Revision
  Path
- -
RELENG_4
  src/crypto/openssh/deattack.c   1.1.1.1.2.6
  src/crypto/openssh/deattack.h   1.1.1.1.2.3
  src/crypto/openssh/defines.h1.1.1.2.2.3
  src/crypto/openssh/log.c1.1.1.1.2.6
  src/crypto/openssh/log.h1.1.1.1.2.4
  src/crypto/openssh/packet.c 1.1.1.1.2.7
  src/crypto/openssh/ssh_config  1.2.2.10
  src/crypto/openssh/ssh_config.5 1.4.2.6
  src/crypto/openssh/sshd.c  1.6.2.12