Fix CVE-2023-48795 Prefix truncation attack on Binary Packet Protocol (BPP)
Fix CVE-2023-6918 Missing checks for return values for digests Fix CVE-2023-6004 ProxyCommand/ProxyJump features allow injection of malicious code through hostname Resolves:RHEL-19690, RHEL-17244, RHEL-19312 Signed-off-by: Sahana Prasad <sahana@redhat.com>
This commit is contained in:
parent
d03f6acd77
commit
e1bdcfcf50
723
CVE-2023-48795.patch
Normal file
723
CVE-2023-48795.patch
Normal file
@ -0,0 +1,723 @@
|
||||
From 87b93be5a2071be782aa84aa5a91544b18959d5e Mon Sep 17 00:00:00 2001
|
||||
From: Aris Adamantiadis <aris@0xbadc0de.be>
|
||||
Date: Tue, 12 Dec 2023 23:09:57 +0100
|
||||
Subject: [PATCH 1/4] CVE-2023-48795: client side mitigation
|
||||
|
||||
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||
---
|
||||
include/libssh/packet.h | 1 +
|
||||
include/libssh/session.h | 6 +++++
|
||||
src/curve25519.c | 19 +++----------
|
||||
src/dh-gex.c | 7 +----
|
||||
src/dh.c | 17 +++---------
|
||||
src/ecdh.c | 8 +-----
|
||||
src/ecdh_crypto.c | 12 +++------
|
||||
src/ecdh_gcrypt.c | 10 +++----
|
||||
src/ecdh_mbedcrypto.c | 11 +++-----
|
||||
src/kex.c | 34 +++++++++++++++++++----
|
||||
src/packet.c | 58 ++++++++++++++++++++++++++++++++++++++++
|
||||
src/packet_cb.c | 12 +++++++++
|
||||
12 files changed, 126 insertions(+), 69 deletions(-)
|
||||
|
||||
diff --git a/include/libssh/packet.h b/include/libssh/packet.h
|
||||
index 561bba8e..c6fbc3fc 100644
|
||||
--- a/include/libssh/packet.h
|
||||
+++ b/include/libssh/packet.h
|
||||
@@ -63,6 +63,7 @@ SSH_PACKET_CALLBACK(ssh_packet_ext_info);
|
||||
SSH_PACKET_CALLBACK(ssh_packet_kexdh_init);
|
||||
#endif
|
||||
|
||||
+int ssh_packet_send_newkeys(ssh_session session);
|
||||
int ssh_packet_send_unimplemented(ssh_session session, uint32_t seqnum);
|
||||
int ssh_packet_parse_type(ssh_session session);
|
||||
//int packet_flush(ssh_session session, int enforce_blocking);
|
||||
diff --git a/include/libssh/session.h b/include/libssh/session.h
|
||||
index 64e118ef..3cde0dd4 100644
|
||||
--- a/include/libssh/session.h
|
||||
+++ b/include/libssh/session.h
|
||||
@@ -80,6 +80,12 @@ enum ssh_pending_call_e {
|
||||
* sending it twice during key exchange to simplify the state machine. */
|
||||
#define SSH_SESSION_FLAG_KEXINIT_SENT 4
|
||||
|
||||
+/* The current SSH2 session implements the "strict KEX" feature and should behave
|
||||
+ * differently on SSH2_MSG_NEWKEYS. */
|
||||
+#define SSH_SESSION_FLAG_KEX_STRICT 0x0010
|
||||
+/* Unexpected packets have been sent while the session was still unencrypted */
|
||||
+#define SSH_SESSION_FLAG_KEX_TAINTED 0x0020
|
||||
+
|
||||
/* codes to use with ssh_handle_packets*() */
|
||||
/* Infinite timeout */
|
||||
#define SSH_TIMEOUT_INFINITE -1
|
||||
diff --git a/src/curve25519.c b/src/curve25519.c
|
||||
index 37654438..6b7b4238 100644
|
||||
--- a/src/curve25519.c
|
||||
+++ b/src/curve25519.c
|
||||
@@ -335,16 +335,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_curve25519_reply){
|
||||
}
|
||||
|
||||
/* Send the MSG_NEWKEYS */
|
||||
- if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
|
||||
- goto error;
|
||||
- }
|
||||
-
|
||||
- rc=ssh_packet_send(session);
|
||||
+ rc = ssh_packet_send_newkeys(session);
|
||||
if (rc == SSH_ERROR) {
|
||||
goto error;
|
||||
}
|
||||
-
|
||||
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
||||
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
||||
|
||||
return SSH_PACKET_USED;
|
||||
@@ -502,18 +496,13 @@ static SSH_PACKET_CALLBACK(ssh_packet_server_curve25519_init){
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
- /* Send the MSG_NEWKEYS */
|
||||
- rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
|
||||
- if (rc < 0) {
|
||||
- goto error;
|
||||
- }
|
||||
-
|
||||
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
||||
- rc = ssh_packet_send(session);
|
||||
+
|
||||
+ /* Send the MSG_NEWKEYS */
|
||||
+ rc = ssh_packet_send_newkeys(session);
|
||||
if (rc == SSH_ERROR) {
|
||||
goto error;
|
||||
}
|
||||
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
||||
|
||||
return SSH_PACKET_USED;
|
||||
error:
|
||||
diff --git a/src/dh-gex.c b/src/dh-gex.c
|
||||
index 4a298542..f1880270 100644
|
||||
--- a/src/dh-gex.c
|
||||
+++ b/src/dh-gex.c
|
||||
@@ -287,15 +287,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_dhgex_reply)
|
||||
}
|
||||
|
||||
/* Send the MSG_NEWKEYS */
|
||||
- if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
|
||||
- goto error;
|
||||
- }
|
||||
-
|
||||
- rc = ssh_packet_send(session);
|
||||
+ rc = ssh_packet_send_newkeys(session);
|
||||
if (rc == SSH_ERROR) {
|
||||
goto error;
|
||||
}
|
||||
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
||||
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
||||
|
||||
return SSH_PACKET_USED;
|
||||
diff --git a/src/dh.c b/src/dh.c
|
||||
index c265efcb..1d519c63 100644
|
||||
--- a/src/dh.c
|
||||
+++ b/src/dh.c
|
||||
@@ -386,16 +386,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_dh_reply){
|
||||
}
|
||||
|
||||
/* Send the MSG_NEWKEYS */
|
||||
- if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
|
||||
- goto error;
|
||||
- }
|
||||
-
|
||||
- rc=ssh_packet_send(session);
|
||||
+ rc = ssh_packet_send_newkeys(session);
|
||||
if (rc == SSH_ERROR) {
|
||||
goto error;
|
||||
}
|
||||
-
|
||||
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
||||
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
||||
return SSH_PACKET_USED;
|
||||
error:
|
||||
@@ -532,15 +526,12 @@ int ssh_server_dh_process_init(ssh_session session, ssh_buffer packet)
|
||||
}
|
||||
SSH_LOG(SSH_LOG_DEBUG, "Sent KEX_DH_[GEX]_REPLY");
|
||||
|
||||
- if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
|
||||
- ssh_buffer_reinit(session->out_buffer);
|
||||
- goto error;
|
||||
- }
|
||||
session->dh_handshake_state=DH_STATE_NEWKEYS_SENT;
|
||||
- if (ssh_packet_send(session) == SSH_ERROR) {
|
||||
+ /* Send the MSG_NEWKEYS */
|
||||
+ rc = ssh_packet_send_newkeys(session);
|
||||
+ if (rc == SSH_ERROR) {
|
||||
goto error;
|
||||
}
|
||||
- SSH_LOG(SSH_LOG_PACKET, "SSH_MSG_NEWKEYS sent");
|
||||
|
||||
return SSH_OK;
|
||||
error:
|
||||
diff --git a/src/ecdh.c b/src/ecdh.c
|
||||
index e5b11ba9..af80beec 100644
|
||||
--- a/src/ecdh.c
|
||||
+++ b/src/ecdh.c
|
||||
@@ -93,16 +93,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_ecdh_reply){
|
||||
}
|
||||
|
||||
/* Send the MSG_NEWKEYS */
|
||||
- if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
|
||||
- goto error;
|
||||
- }
|
||||
-
|
||||
- rc=ssh_packet_send(session);
|
||||
+ rc = ssh_packet_send_newkeys(session);
|
||||
if (rc == SSH_ERROR) {
|
||||
goto error;
|
||||
}
|
||||
-
|
||||
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
||||
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
||||
|
||||
return SSH_PACKET_USED;
|
||||
diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c
|
||||
index a1de27fd..62578c1b 100644
|
||||
--- a/src/ecdh_crypto.c
|
||||
+++ b/src/ecdh_crypto.c
|
||||
@@ -323,18 +323,12 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
|
||||
goto error;
|
||||
}
|
||||
|
||||
- /* Send the MSG_NEWKEYS */
|
||||
- rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
|
||||
- if (rc < 0) {
|
||||
- goto error;
|
||||
- }
|
||||
-
|
||||
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
||||
- rc = ssh_packet_send(session);
|
||||
- if (rc == SSH_ERROR){
|
||||
+ /* Send the MSG_NEWKEYS */
|
||||
+ rc = ssh_packet_send_newkeys(session);
|
||||
+ if (rc == SSH_ERROR) {
|
||||
goto error;
|
||||
}
|
||||
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
||||
|
||||
return SSH_PACKET_USED;
|
||||
error:
|
||||
diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
|
||||
index d9c41bf9..dd4332d7 100644
|
||||
--- a/src/ecdh_gcrypt.c
|
||||
+++ b/src/ecdh_gcrypt.c
|
||||
@@ -372,17 +372,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
|
||||
goto out;
|
||||
}
|
||||
|
||||
-
|
||||
+ session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
||||
/* Send the MSG_NEWKEYS */
|
||||
- rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
|
||||
- if (rc != SSH_OK) {
|
||||
+ rc = ssh_packet_send_newkeys(session);
|
||||
+ if (rc == SSH_ERROR) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
- session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
||||
- rc = ssh_packet_send(session);
|
||||
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
||||
-
|
||||
out:
|
||||
gcry_sexp_release(param);
|
||||
gcry_sexp_release(key);
|
||||
diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c
|
||||
index 718f1522..45251a42 100644
|
||||
--- a/src/ecdh_mbedcrypto.c
|
||||
+++ b/src/ecdh_mbedcrypto.c
|
||||
@@ -300,16 +300,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
|
||||
goto out;
|
||||
}
|
||||
|
||||
- rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
|
||||
- if (rc < 0) {
|
||||
- rc = SSH_ERROR;
|
||||
+ session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
||||
+ /* Send the MSG_NEWKEYS */
|
||||
+ rc = ssh_packet_send_newkeys(session);
|
||||
+ if (rc == SSH_ERROR) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
- session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
||||
- rc = ssh_packet_send(session);
|
||||
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
||||
-
|
||||
out:
|
||||
mbedtls_ecp_group_free(&grp);
|
||||
if (rc == SSH_ERROR) {
|
||||
diff --git a/src/kex.c b/src/kex.c
|
||||
index 3e5ca6ad..0772cae8 100644
|
||||
--- a/src/kex.c
|
||||
+++ b/src/kex.c
|
||||
@@ -163,6 +163,9 @@
|
||||
|
||||
/* RFC 8308 */
|
||||
#define KEX_EXTENSION_CLIENT "ext-info-c"
|
||||
+/* Strict kex mitigation against CVE-2023-48795 */
|
||||
+#define KEX_STRICT_CLIENT "kex-strict-c-v00@openssh.com"
|
||||
+#define KEX_STRICT_SERVER "kex-strict-s-v00@openssh.com"
|
||||
|
||||
/* Allowed algorithms in FIPS mode */
|
||||
#define FIPS_ALLOWED_CIPHERS "aes256-gcm@openssh.com,"\
|
||||
@@ -491,6 +494,27 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
|
||||
session->first_kex_follows_guess_wrong ? "wrong" : "right");
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * handle the "strict KEX" feature. If supported by peer, then set up the
|
||||
+ * flag and verify packet sequence numbers.
|
||||
+ */
|
||||
+ if (server_kex) {
|
||||
+ ok = ssh_match_group(crypto->client_kex.methods[SSH_KEX],
|
||||
+ KEX_STRICT_CLIENT);
|
||||
+ if (ok) {
|
||||
+ SSH_LOG(SSH_LOG_DEBUG, "Client supports strict kex, enabling.");
|
||||
+ session->flags |= SSH_SESSION_FLAG_KEX_STRICT;
|
||||
+ }
|
||||
+ } else {
|
||||
+ /* client kex */
|
||||
+ ok = ssh_match_group(crypto->server_kex.methods[SSH_KEX],
|
||||
+ KEX_STRICT_SERVER);
|
||||
+ if (ok) {
|
||||
+ SSH_LOG(SSH_LOG_DEBUG, "Server supports strict kex, enabling.");
|
||||
+ session->flags |= SSH_SESSION_FLAG_KEX_STRICT;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (server_kex) {
|
||||
/*
|
||||
* If client sent a ext-info-c message in the kex list, it supports
|
||||
@@ -767,21 +791,21 @@ int ssh_set_client_kex(ssh_session session)
|
||||
return SSH_OK;
|
||||
}
|
||||
|
||||
- /* Here we append ext-info-c to the list of kex algorithms */
|
||||
+ /* Here we append ext-info-c and kex-strict-c-v00@openssh.com to the list of kex algorithms */
|
||||
kex = client->methods[SSH_KEX];
|
||||
len = strlen(kex);
|
||||
- if (len + strlen(KEX_EXTENSION_CLIENT) + 2 < len) {
|
||||
+ /* Comma, comma, nul byte */
|
||||
+ kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 + strlen(KEX_STRICT_CLIENT ) + 1;
|
||||
+ if (kex_len >= MAX_PACKET_LEN) {
|
||||
/* Overflow */
|
||||
return SSH_ERROR;
|
||||
}
|
||||
- kex_len = len + strlen(KEX_EXTENSION_CLIENT) + 2; /* comma, NULL */
|
||||
kex_tmp = realloc(kex, kex_len);
|
||||
if (kex_tmp == NULL) {
|
||||
- free(kex);
|
||||
ssh_set_error_oom(session);
|
||||
return SSH_ERROR;
|
||||
}
|
||||
- snprintf(kex_tmp + len, kex_len - len, ",%s", KEX_EXTENSION_CLIENT);
|
||||
+ snprintf(kex_tmp + len, kex_len - len, ",%s,%s", KEX_EXTENSION_CLIENT, KEX_STRICT_CLIENT);
|
||||
client->methods[SSH_KEX] = kex_tmp;
|
||||
|
||||
return SSH_OK;
|
||||
diff --git a/src/packet.c b/src/packet.c
|
||||
index ca7a03b7..82965fb3 100644
|
||||
--- a/src/packet.c
|
||||
+++ b/src/packet.c
|
||||
@@ -1309,6 +1309,19 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
|
||||
}
|
||||
#endif /* WITH_ZLIB */
|
||||
payloadsize = ssh_buffer_get_len(session->in_buffer);
|
||||
+ if (session->recv_seq == UINT32_MAX) {
|
||||
+ /* Overflowing sequence numbers is always fishy */
|
||||
+ if (crypto == NULL) {
|
||||
+ /* don't allow sequence number overflow when unencrypted */
|
||||
+ ssh_set_error(session,
|
||||
+ SSH_FATAL,
|
||||
+ "Incoming sequence number overflow");
|
||||
+ goto error;
|
||||
+ } else {
|
||||
+ SSH_LOG(SSH_LOG_WARNING,
|
||||
+ "Incoming sequence number overflow");
|
||||
+ }
|
||||
+ }
|
||||
session->recv_seq++;
|
||||
if (crypto != NULL) {
|
||||
struct ssh_cipher_struct *cipher = NULL;
|
||||
@@ -1331,7 +1344,19 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
|
||||
SSH_LOG(SSH_LOG_PACKET,
|
||||
"packet: read type %hhd [len=%d,padding=%hhd,comp=%d,payload=%d]",
|
||||
session->in_packet.type, packet_len, padding, compsize, payloadsize);
|
||||
+ if (crypto == NULL) {
|
||||
+ /* In strict kex, only a few packets are allowed. Taint the session
|
||||
+ * if we received packets that are normally allowed but to be
|
||||
+ * refused if we are in strict kex when KEX is over.
|
||||
+ */
|
||||
+ uint8_t type = session->in_packet.type;
|
||||
|
||||
+ if (type != SSH2_MSG_KEXINIT && type != SSH2_MSG_NEWKEYS &&
|
||||
+ (type < SSH2_MSG_KEXDH_INIT ||
|
||||
+ type > SSH2_MSG_KEX_DH_GEX_REQUEST)) {
|
||||
+ session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
|
||||
+ }
|
||||
+ }
|
||||
/* Check if the packet is expected */
|
||||
filter_result = ssh_packet_incoming_filter(session);
|
||||
|
||||
@@ -1347,6 +1372,9 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
|
||||
session->in_packet.type);
|
||||
goto error;
|
||||
case SSH_PACKET_UNKNOWN:
|
||||
+ if (crypto == NULL) {
|
||||
+ session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
|
||||
+ }
|
||||
ssh_packet_send_unimplemented(session, session->recv_seq - 1);
|
||||
break;
|
||||
}
|
||||
@@ -1521,7 +1549,33 @@ void ssh_packet_process(ssh_session session, uint8_t type)
|
||||
SSH_LOG(SSH_LOG_RARE, "Failed to send unimplemented: %s",
|
||||
ssh_get_error(session));
|
||||
}
|
||||
+ if (session->current_crypto == NULL) {
|
||||
+ session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/** @internal
|
||||
+ * @brief sends a SSH_MSG_NEWKEYS when enabling the new negotiated ciphers
|
||||
+ * @param session the SSH session
|
||||
+ * @return SSH_ERROR on error, else SSH_OK
|
||||
+ */
|
||||
+int ssh_packet_send_newkeys(ssh_session session)
|
||||
+{
|
||||
+ int rc;
|
||||
+
|
||||
+ /* Send the MSG_NEWKEYS */
|
||||
+ rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
|
||||
+ if (rc < 0) {
|
||||
+ return rc;
|
||||
}
|
||||
+
|
||||
+ rc = ssh_packet_send(session);
|
||||
+ if (rc == SSH_ERROR) {
|
||||
+ return rc;
|
||||
+ }
|
||||
+ SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
/** @internal
|
||||
@@ -1829,6 +1883,10 @@ int ssh_packet_send(ssh_session session)
|
||||
if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) {
|
||||
struct ssh_iterator *it;
|
||||
|
||||
+ if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) {
|
||||
+ /* reset packet sequence number when running in strict kex mode */
|
||||
+ session->send_seq = 0;
|
||||
+ }
|
||||
for (it = ssh_list_get_iterator(session->out_queue);
|
||||
it != NULL;
|
||||
it = ssh_list_get_iterator(session->out_queue)) {
|
||||
diff --git a/src/packet_cb.c b/src/packet_cb.c
|
||||
index 3e4d5f6d..a08f1d8a 100644
|
||||
--- a/src/packet_cb.c
|
||||
+++ b/src/packet_cb.c
|
||||
@@ -110,6 +110,18 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
|
||||
goto error;
|
||||
}
|
||||
|
||||
+ if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) {
|
||||
+ /* reset packet sequence number when running in strict kex mode */
|
||||
+ session->recv_seq = 0;
|
||||
+ /* Check that we aren't tainted */
|
||||
+ if (session->flags & SSH_SESSION_FLAG_KEX_TAINTED) {
|
||||
+ ssh_set_error(session,
|
||||
+ SSH_FATAL,
|
||||
+ "Received unexpected packets in strict KEX mode.");
|
||||
+ goto error;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if(session->server){
|
||||
/* server things are done in server.c */
|
||||
session->dh_handshake_state=DH_STATE_FINISHED;
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
||||
From fd4948255560039b51c2d61f0a62784ed8b6f5a6 Mon Sep 17 00:00:00 2001
|
||||
From: Aris Adamantiadis <aris@0xbadc0de.be>
|
||||
Date: Tue, 12 Dec 2023 23:30:26 +0100
|
||||
Subject: [PATCH 2/4] CVE-2023-48795: Server side mitigations
|
||||
|
||||
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||
---
|
||||
include/libssh/kex.h | 1 +
|
||||
src/kex.c | 46 ++++++++++++++++++++++++++++++++++----------
|
||||
src/server.c | 8 +++++++-
|
||||
3 files changed, 44 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/include/libssh/kex.h b/include/libssh/kex.h
|
||||
index 2ace69b6..40da4ef2 100644
|
||||
--- a/include/libssh/kex.h
|
||||
+++ b/include/libssh/kex.h
|
||||
@@ -36,6 +36,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit);
|
||||
int ssh_send_kex(ssh_session session);
|
||||
void ssh_list_kex(struct ssh_kex_struct *kex);
|
||||
int ssh_set_client_kex(ssh_session session);
|
||||
+int ssh_kex_append_extensions(ssh_session session, struct ssh_kex_struct *pkex);
|
||||
int ssh_kex_select_methods(ssh_session session);
|
||||
int ssh_verify_existing_algo(enum ssh_kex_types_e algo, const char *name);
|
||||
char *ssh_keep_known_algos(enum ssh_kex_types_e algo, const char *list);
|
||||
diff --git a/src/kex.c b/src/kex.c
|
||||
index 0772cae8..e37c176c 100644
|
||||
--- a/src/kex.c
|
||||
+++ b/src/kex.c
|
||||
@@ -738,11 +738,8 @@ int ssh_set_client_kex(ssh_session session)
|
||||
{
|
||||
struct ssh_kex_struct *client = &session->next_crypto->client_kex;
|
||||
const char *wanted;
|
||||
- char *kex = NULL;
|
||||
- char *kex_tmp = NULL;
|
||||
int ok;
|
||||
int i;
|
||||
- size_t kex_len, len;
|
||||
|
||||
/* Skip if already set, for example for the rekey or when we do the guessing
|
||||
* it could have been already used to make some protocol decisions. */
|
||||
@@ -791,11 +788,33 @@ int ssh_set_client_kex(ssh_session session)
|
||||
return SSH_OK;
|
||||
}
|
||||
|
||||
- /* Here we append ext-info-c and kex-strict-c-v00@openssh.com to the list of kex algorithms */
|
||||
- kex = client->methods[SSH_KEX];
|
||||
+ ok = ssh_kex_append_extensions(session, client);
|
||||
+ if (ok != SSH_OK){
|
||||
+ return ok;
|
||||
+ }
|
||||
+
|
||||
+ return SSH_OK;
|
||||
+}
|
||||
+
|
||||
+int ssh_kex_append_extensions(ssh_session session, struct ssh_kex_struct *pkex)
|
||||
+{
|
||||
+ char *kex = NULL;
|
||||
+ char *kex_tmp = NULL;
|
||||
+ size_t kex_len, len;
|
||||
+
|
||||
+ /* Here we append ext-info-c and kex-strict-c-v00@openssh.com for client
|
||||
+ * and kex-strict-s-v00@openssh.com for server to the list of kex algorithms
|
||||
+ */
|
||||
+ kex = pkex->methods[SSH_KEX];
|
||||
len = strlen(kex);
|
||||
- /* Comma, comma, nul byte */
|
||||
- kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 + strlen(KEX_STRICT_CLIENT ) + 1;
|
||||
+ if (session->server) {
|
||||
+ /* Comma, nul byte */
|
||||
+ kex_len = len + 1 + strlen(KEX_STRICT_SERVER) + 1;
|
||||
+ } else {
|
||||
+ /* Comma, comma, nul byte */
|
||||
+ kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 +
|
||||
+ strlen(KEX_STRICT_CLIENT) + 1;
|
||||
+ }
|
||||
if (kex_len >= MAX_PACKET_LEN) {
|
||||
/* Overflow */
|
||||
return SSH_ERROR;
|
||||
@@ -805,9 +824,16 @@ int ssh_set_client_kex(ssh_session session)
|
||||
ssh_set_error_oom(session);
|
||||
return SSH_ERROR;
|
||||
}
|
||||
- snprintf(kex_tmp + len, kex_len - len, ",%s,%s", KEX_EXTENSION_CLIENT, KEX_STRICT_CLIENT);
|
||||
- client->methods[SSH_KEX] = kex_tmp;
|
||||
-
|
||||
+ if (session->server){
|
||||
+ snprintf(kex_tmp + len, kex_len - len, ",%s", KEX_STRICT_SERVER);
|
||||
+ } else {
|
||||
+ snprintf(kex_tmp + len,
|
||||
+ kex_len - len,
|
||||
+ ",%s,%s",
|
||||
+ KEX_EXTENSION_CLIENT,
|
||||
+ KEX_STRICT_CLIENT);
|
||||
+ }
|
||||
+ pkex->methods[SSH_KEX] = kex_tmp;
|
||||
return SSH_OK;
|
||||
}
|
||||
|
||||
diff --git a/src/server.c b/src/server.c
|
||||
index ed73e7fb..35e84465 100644
|
||||
--- a/src/server.c
|
||||
+++ b/src/server.c
|
||||
@@ -195,7 +195,13 @@ int server_set_kex(ssh_session session)
|
||||
}
|
||||
}
|
||||
|
||||
- return 0;
|
||||
+ /* Do not append the extensions during rekey */
|
||||
+ if (session->flags & SSH_SESSION_FLAG_AUTHENTICATED) {
|
||||
+ return SSH_OK;
|
||||
+ }
|
||||
+
|
||||
+ rc = ssh_kex_append_extensions(session, server);
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
int ssh_server_init_kex(ssh_session session) {
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
||||
From 03bbbc9e4c93aae2ccdd302d6123e4809be37746 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Thu, 14 Dec 2023 12:22:01 +0100
|
||||
Subject: [PATCH 3/4] CVE-2023-48795: Strip extensions from both kex lists for
|
||||
matching
|
||||
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||
---
|
||||
src/kex.c | 16 ++++++++++++----
|
||||
1 file changed, 12 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/kex.c b/src/kex.c
|
||||
index e37c176c..eea3604b 100644
|
||||
--- a/src/kex.c
|
||||
+++ b/src/kex.c
|
||||
@@ -936,11 +936,19 @@ int ssh_kex_select_methods (ssh_session session)
|
||||
enum ssh_key_exchange_e kex_type;
|
||||
int i;
|
||||
|
||||
- /* Here we should drop the ext-info-c from the list so we avoid matching.
|
||||
+ /* Here we should drop the extensions from the list so we avoid matching.
|
||||
* it. We added it to the end, so we can just truncate the string here */
|
||||
- ext_start = strstr(client->methods[SSH_KEX], ","KEX_EXTENSION_CLIENT);
|
||||
- if (ext_start != NULL) {
|
||||
- ext_start[0] = '\0';
|
||||
+ if (session->client) {
|
||||
+ ext_start = strstr(client->methods[SSH_KEX], "," KEX_EXTENSION_CLIENT);
|
||||
+ if (ext_start != NULL) {
|
||||
+ ext_start[0] = '\0';
|
||||
+ }
|
||||
+ }
|
||||
+ if (session->server) {
|
||||
+ ext_start = strstr(server->methods[SSH_KEX], "," KEX_STRICT_SERVER);
|
||||
+ if (ext_start != NULL) {
|
||||
+ ext_start[0] = '\0';
|
||||
+ }
|
||||
}
|
||||
|
||||
for (i = 0; i < SSH_KEX_METHODS; i++) {
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
||||
From 768d1ed30cf4b3cb9628254ef3ee24b9c38abdbc Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Thu, 14 Dec 2023 12:47:48 +0100
|
||||
Subject: [PATCH 4/4] CVE-2023-48795: tests: Adjust calculation to strict kex
|
||||
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||
---
|
||||
tests/client/torture_rekey.c | 56 ++++++++++++++++++++----------------
|
||||
1 file changed, 32 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/tests/client/torture_rekey.c b/tests/client/torture_rekey.c
|
||||
index 13c9a7fe..bfb273af 100644
|
||||
--- a/tests/client/torture_rekey.c
|
||||
+++ b/tests/client/torture_rekey.c
|
||||
@@ -148,6 +148,29 @@ static void torture_rekey_default(void **state)
|
||||
ssh_disconnect(s->ssh.session);
|
||||
}
|
||||
|
||||
+static void sanity_check_session(void **state)
|
||||
+{
|
||||
+ struct torture_state *s = *state;
|
||||
+ struct ssh_crypto_struct *c = NULL;
|
||||
+
|
||||
+ c = s->ssh.session->current_crypto;
|
||||
+ assert_non_null(c);
|
||||
+ assert_int_equal(c->in_cipher->max_blocks,
|
||||
+ bytes / c->in_cipher->blocksize);
|
||||
+ assert_int_equal(c->out_cipher->max_blocks,
|
||||
+ bytes / c->out_cipher->blocksize);
|
||||
+ /* when strict kex is used, the newkeys reset the sequence number */
|
||||
+ if ((s->ssh.session->flags & SSH_SESSION_FLAG_KEX_STRICT) != 0) {
|
||||
+ assert_int_equal(c->out_cipher->packets, s->ssh.session->send_seq);
|
||||
+ assert_int_equal(c->in_cipher->packets, s->ssh.session->recv_seq);
|
||||
+ } else {
|
||||
+ /* Otherwise we have less encrypted packets than transferred
|
||||
+ * (first are not encrypted) */
|
||||
+ assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
|
||||
+ assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/* We lower the rekey limits manually and check that the rekey
|
||||
* really happens when sending data
|
||||
*/
|
||||
@@ -166,16 +189,10 @@ static void torture_rekey_send(void **state)
|
||||
rc = ssh_connect(s->ssh.session);
|
||||
assert_ssh_return_code(s->ssh.session, rc);
|
||||
|
||||
- /* The blocks limit is set correctly */
|
||||
- c = s->ssh.session->current_crypto;
|
||||
- assert_int_equal(c->in_cipher->max_blocks,
|
||||
- bytes / c->in_cipher->blocksize);
|
||||
- assert_int_equal(c->out_cipher->max_blocks,
|
||||
- bytes / c->out_cipher->blocksize);
|
||||
- /* We should have less encrypted packets than transfered (first are not encrypted) */
|
||||
- assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
|
||||
- assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
|
||||
+ sanity_check_session(state);
|
||||
/* Copy the initial secret hash = session_id so we know we changed keys later */
|
||||
+ c = s->ssh.session->current_crypto;
|
||||
+ assert_non_null(c);
|
||||
secret_hash = malloc(c->digest_len);
|
||||
assert_non_null(secret_hash);
|
||||
memcpy(secret_hash, c->secret_hash, c->digest_len);
|
||||
@@ -272,14 +289,10 @@ static void torture_rekey_recv(void **state)
|
||||
sftp_file file;
|
||||
mode_t mask;
|
||||
|
||||
- /* The blocks limit is set correctly */
|
||||
- c = s->ssh.session->current_crypto;
|
||||
- assert_int_equal(c->in_cipher->max_blocks, bytes / c->in_cipher->blocksize);
|
||||
- assert_int_equal(c->out_cipher->max_blocks, bytes / c->out_cipher->blocksize);
|
||||
- /* We should have less encrypted packets than transfered (first are not encrypted) */
|
||||
- assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
|
||||
- assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
|
||||
+ sanity_check_session(state);
|
||||
/* Copy the initial secret hash = session_id so we know we changed keys later */
|
||||
+ c = s->ssh.session->current_crypto;
|
||||
+ assert_non_null(c);
|
||||
secret_hash = malloc(c->digest_len);
|
||||
assert_non_null(secret_hash);
|
||||
memcpy(secret_hash, c->secret_hash, c->digest_len);
|
||||
@@ -464,15 +477,10 @@ static void torture_rekey_different_kex(void **state)
|
||||
assert_ssh_return_code(s->ssh.session, rc);
|
||||
|
||||
/* The blocks limit is set correctly */
|
||||
- c = s->ssh.session->current_crypto;
|
||||
- assert_int_equal(c->in_cipher->max_blocks,
|
||||
- bytes / c->in_cipher->blocksize);
|
||||
- assert_int_equal(c->out_cipher->max_blocks,
|
||||
- bytes / c->out_cipher->blocksize);
|
||||
- /* We should have less encrypted packets than transfered (first are not encrypted) */
|
||||
- assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
|
||||
- assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
|
||||
+ sanity_check_session(state);
|
||||
/* Copy the initial secret hash = session_id so we know we changed keys later */
|
||||
+ c = s->ssh.session->current_crypto;
|
||||
+ assert_non_null(c);
|
||||
secret_hash = malloc(c->digest_len);
|
||||
assert_non_null(secret_hash);
|
||||
memcpy(secret_hash, c->secret_hash, c->digest_len);
|
||||
--
|
||||
2.41.0
|
||||
|
1114
CVE-2023-6004.patch
Normal file
1114
CVE-2023-6004.patch
Normal file
File diff suppressed because it is too large
Load Diff
1577
CVE-2023-6918.patch
Normal file
1577
CVE-2023-6918.patch
Normal file
File diff suppressed because it is too large
Load Diff
15
libssh.spec
15
libssh.spec
@ -1,6 +1,6 @@
|
||||
Name: libssh
|
||||
Version: 0.9.6
|
||||
Release: 12%{?dist}
|
||||
Release: 14%{?dist}
|
||||
Summary: A library implementing the SSH protocol
|
||||
License: LGPLv2+
|
||||
URL: http://www.libssh.org
|
||||
@ -17,6 +17,9 @@ Patch2: null_dereference_rekey.patch
|
||||
Patch3: auth_bypass.patch
|
||||
Patch4: fix_tests.patch
|
||||
Patch5: covscan23.patch
|
||||
Patch6: CVE-2023-48795.patch
|
||||
Patch7: CVE-2023-6004.patch
|
||||
Patch8: CVE-2023-6918.patch
|
||||
|
||||
BuildRequires: cmake
|
||||
BuildRequires: doxygen
|
||||
@ -145,6 +148,16 @@ popd
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
|
||||
|
||||
%changelog
|
||||
* Mon Feb 26 2024 Sahana Prasad <sahana@redhat.com> - 0.9.6-14
|
||||
- Fix CVE-2023-48795 Prefix truncation attack on Binary Packet Protocol (BPP)
|
||||
- Fix CVE-2023-6918 Missing checks for return values for digests
|
||||
- Fix CVE-2023-6004 ProxyCommand/ProxyJump features allow injection
|
||||
of malicious code through hostname
|
||||
- Note: version is bumped from 12 to 14 directly, as the z-stream
|
||||
version in 8.9 also has 13. So bumping it to 14, will prevent
|
||||
upgrade conflicts.
|
||||
- Resolves:RHEL-19690, RHEL-17244, RHEL-19312
|
||||
|
||||
* Mon May 15 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-12
|
||||
- Fix loglevel regression
|
||||
- Related: rhbz#2182251, rhbz#2189742
|
||||
|
Loading…
Reference in New Issue
Block a user