From nobody Mon Jul 01 10:34:00 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WCMph0QRrz5Q7TN for ; Mon, 01 Jul 2024 10:34:04 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx-01.divo.sbone.de (mx-01.divo.sbone.de [IPv6:2003:a:140a:2200:6:594:fffe:19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mx-01.divo.sbone.de", Issuer "E5" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WCMpg4zBDz4Hv6 for ; Mon, 1 Jul 2024 10:34:03 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Authentication-Results: mx1.freebsd.org; none Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by mx-01.divo.sbone.de (Postfix) with ESMTPS id 47C0AA64805 for ; Mon, 01 Jul 2024 10:34:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=zabbadoz.net; s=20240622; t=1719830041; bh=tF8Q//E2Xkg7GfB6Oya56GJWYfJOBWoeBnBpxi5cJgo=; h=Date:From:To:Subject:In-Reply-To:References; b=nsIm6/wjCDN/22JvBHXEpzzDTVUv6ORW1dNYD5RPXiEkvooxPtI+BrZcDDkPTaOpo RD+jjnz02w2vFPIWd5iiKeici9DGPik3vRP7q80oUDndfc3KyUPdiVnjA0ASQE4aLh reEsFuP5y1JuhVJbqp6zsnfURQBCSE1y/wSS6q+chBMCjCnav5S/t8H9S0+c0OEB3h 0i8U8EwFvQMSUNTSYc7Agp4KD2/9vrZCRm+rQ3pLPNUzPqlaeIdzkTwmHk+L9ppam+ ISsje0TWor+DdRPk4ItN6IJ+DWRrhy9eWA2VxRDGVj60G8+QN9TCKu7zavbvP+roDp N8rIEdq5WeX3qbFracVtYSwz6XzK5gUmHDdqKnvWTj+zdAVDIH7NMfdJccJFrXt5WK W/tNAehy2XWzimnjvr4u4UIU/nx6pRnA2jjqN/RKXZOT9a3GGlwqHtSi85nHiov6qN ozQ5EVLX64qoOGzMpJmbYt3NCg3ju/+8IThXiXDNxkWSeNNfYzgSBcyZj4FZc3CrLZ I3hjhJtwHqBC351LoPl2Ng6pFQr/m7GbjDMI0FCa0bUl+BrDD3AVWo0nyu3hvGYT2P BGoBNUUJwnS0+dPKM+BoGarsPXsxe4sd2IFnc26qMufFG83o+XO0Lig2WfQtdkjiK1 cw1G24vIFVZL/HyW/8T1dQ6I= Received: from content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 6EA1B2D029D8 for ; Mon, 1 Jul 2024 10:34:01 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) by content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (amavisd-new, port 10024) with ESMTP id hhDtWqU8yU6Y for ; Mon, 1 Jul 2024 10:34:00 +0000 (UTC) Received: from strong-iwl0.sbone.de (strong-iwl0.sbone.de [IPv6:fde9:577b:c1a9:4902:b66b:fcff:fef3:e3d2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 63E5E2D029D2 for ; Mon, 1 Jul 2024 10:34:00 +0000 (UTC) Date: Mon, 1 Jul 2024 10:34:00 +0000 (UTC) From: "Bjoern A. Zeeb" To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-24:04.openssh In-Reply-To: <20240701085840.0EA17B51@freefall.freebsd.org> Message-ID: <44522737-qr68-q1n2-rs8o-7o75329982o0@yvfgf.mnoonqbm.arg> References: <20240701085840.0EA17B51@freefall.freebsd.org> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:3320, ipnet:2003::/19, country:DE] X-Rspamd-Queue-Id: 4WCMpg4zBDz4Hv6 On Mon, 1 Jul 2024, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-24:04.openssh Security Advisory > The FreeBSD Project > > Topic: OpenSSH pre-authentication remote code execution > > Category: contrib > Module: openssh > Announced: 2024-07-01 > Credits: Qualys Threat Research Unit (TRU) > Affects: All supported versions of FreeBSD. [..] > II. Problem Description > > A signal handler in sshd(8) calls a function that is not async-signal-safe. > The signal handler is invoked when a client does not authenticate within the > LoginGraceTime seconds (120 by default). This signal handler executes in the > context of the sshd(8)'s privileged code, which is not sandboxed and runs > with full root privileges. > > This issue is a regression of CVE-2006-5051 originally reported by Mark Dowd > and accidentally reintroduced in OpenSSH 8.5p1. > > III. Impact > > As a result of calling functions that are not async-signal-safe in the > privileged sshd(8) context, a race condition exists that a determined > attacker may be able to exploit to allow an unauthenticated remote code > execution as root. > > IV. Workaround > > If sshd(8) cannot be updated, this signal handler race condition can be > mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and > restarting sshd(8). This makes sshd(8) vulnerable to a denial of service > (the exhaustion of all MaxStartups connections), but makes it safe from the > remote code execution presented in this advisory. Can this code path still be exploited in FreeBSD if libwrap/hosts_access is used denying connections (at least from untrusted sources)? A quick look seems to show that LIBWRAP checking happens before the signal handler is setup and the bug needs connections to be accepted? -- Bjoern A. Zeeb r15:7