svn commit: r49830 - in head/share: security/advisories security/patches/SA-17:01 xml
Xin LI
delphij at FreeBSD.org
Wed Jan 11 06:07:44 UTC 2017
Author: delphij
Date: Wed Jan 11 06:07:42 2017
New Revision: 49830
URL: https://svnweb.freebsd.org/changeset/doc/49830
Log:
Add SA-17:01.
Added:
head/share/security/advisories/FreeBSD-SA-17:01.openssh.asc (contents, props changed)
head/share/security/patches/SA-17:01/
head/share/security/patches/SA-17:01/openssh.patch (contents, props changed)
head/share/security/patches/SA-17:01/openssh.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
Added: head/share/security/advisories/FreeBSD-SA-17:01.openssh.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-17:01.openssh.asc Wed Jan 11 06:07:42 2017 (r49830)
@@ -0,0 +1,158 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-17:01.openssh Security Advisory
+ The FreeBSD Project
+
+Topic: OpenSSH multiple vulnerabilities
+
+Category: contrib
+Module: OpenSSH
+Announced: 2017-01-11
+Affects: All supported versions of FreeBSD.
+Corrected: 2017-01-11 05:56:40 UTC (stable/11, 11.0-STABLE)
+ 2017-01-11 06:01:23 UTC (releng/11.0, 11.0-RELEASE-p7)
+ 2017-01-11 05:56:40 UTC (stable/10, 10.3-STABLE)
+ 2017-01-11 06:01:23 UTC (releng/10.3, 10.3-RELEASE-p16)
+CVE Name: CVE-2016-10009, CVE-2016-10010
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+OpenSSH is an implementation of the SSH protocol suite, providing an
+encrypted and authenticated transport for a variety of services,
+including remote shell access.
+
+OpenSSH supports accessing keys provided by a PKCS#11 token.
+
+II. Problem Description
+
+The ssh-agent(1) agent supports loading a PKCS#11 module from outside a
+trusted whitelist. An attacker can request loading of a PKCS#11 module
+across forwarded agent-socket. [CVE-2016-10009]
+
+When privilege separation is disabled, forwarded Unix domain sockets
+would be created by sshd(8) with the privileges of 'root' instead of
+the authenticated user. [CVE-2016-10010]
+
+III. Impact
+
+A remote attacker who have control of a forwarded agent-socket on a
+remote system and have the ability to write files on the system
+running ssh-agent(1) agent can run arbitrary code under the same user
+credential. Because the attacker must already have some control on
+both systems, it is relatively hard to exploit this vulnerability in
+a practical attack. [CVE-2016-10009]
+
+When privilege separation is disabled (on FreeBSD, privilege separation
+is enabled by default and has to be explicitly disabled), an authenticated
+attacker can potentially gain root privileges on systems running OpenSSH
+server. [CVE-2016-10010]
+
+IV. Workaround
+
+Systems not running ssh-agent(1) and sshd(8) services are not affected.
+
+System administrators may remove ssh-agent(1) to mitigate CVE-2016-10009.
+
+System administrators should enable privilege separation when running
+OpenSSH server, which is the FreeBSD default, to mitigate CVE-2016-10010.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Kill all running ssh-agent(1) process and restart sshd(8) service.
+A reboot is recommended but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Kill all running ssh-agent(1) process and restart sshd(8) service.
+A reboot is recommended but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch
+# fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch.asc
+# gpg --verify openssh.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Kill all running ssh-agent(1) process and restart sshd(8) service.
+A reboot is recommended but not required.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r311915
+releng/10.3/ r311916
+stable/11/ r311915
+releng/11.0/ r311916
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://www.openssh.com/txt/release-7.4>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10010>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:01.openssh.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.16 (FreeBSD)
+
+iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlh1yuAACgkQ7Wfs1l3P
+auebFA//TGtwrub7JNTgKdc5qnpw+s8W1j0AnQ4wTaJ6v7zNyUB0DG+LHW4uXCwR
+xc9Etd2mhY26wJIUxx0Z3oArcqVBGpCGbozuIOU6AdgmHdOL3ddj8aq4SuC0PyMA
+0OvNgZIRPZxEm81MP+6/GES4JLmOumiNeAG/MrtITGJDP/K5vVPIst/+F7OJ4P2+
+OGrjqBWmAz2EMG62QUJI8oSwB+FJpXtWHKOC4fPGibAQe3vF1WequbcDkLsYl1pX
+Ktlk/qh9ivaQreM9rHkUDF0PYwFdsXzveze/TLNbEo+w43v/PAlyR+xw2+22VjGK
+fxTL8Gk2tMQfahGZwFmmQFPLcwNRcdjgnZcRRHA3z8vKgM831A53gV3KskUwZl4V
+DyKdXtl44zrZ7PtPJ1gJkPK6B8zzfjnSwzPC51pDjh30ps28Rgfc6JOyjxhX5BJ4
+sXvQ3meiEfVgVq3DpTqQ3mZVQ1pRF+yhPf1Ptts9fQzAD95JsFF0WT0nzbYoB2VY
+KrU4V7d/Ys+HIeQWgDwZlFuLOULlVZDW/H55PT5Tx9JvP5vRlZS/w2HHN7wwy8n5
+tNX9mcH8DuG7X/jWDR9ompbJp5uZqcKWVMHPQY7fnaLSJoQMqrpPgZ9tsw6wq347
+Vslm3qQwUTSGRagH0rBuHiVJmY/AeqY3lvsaZklWGIYMRjmUeA0=
+=3z/p
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-17:01/openssh.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-17:01/openssh.patch Wed Jan 11 06:07:42 2017 (r49830)
@@ -0,0 +1,170 @@
+--- crypto/openssh/serverloop.c.orig
++++ crypto/openssh/serverloop.c
+@@ -995,7 +995,7 @@
+
+ /* XXX fine grained permissions */
+ if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
+- !no_port_forwarding_flag) {
++ !no_port_forwarding_flag && use_privsep) {
+ c = channel_connect_to_path(target,
+ "direct-streamlocal at openssh.com", "direct-streamlocal");
+ } else {
+@@ -1279,7 +1279,7 @@
+
+ /* check permissions */
+ if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
+- || no_port_forwarding_flag) {
++ || no_port_forwarding_flag || !use_privsep) {
+ success = 0;
+ packet_send_debug("Server has disabled port forwarding.");
+ } else {
+--- crypto/openssh/ssh-agent.1.orig
++++ crypto/openssh/ssh-agent.1
+@@ -48,6 +48,7 @@
+ .Op Fl a Ar bind_address
+ .Op Fl E Ar fingerprint_hash
+ .Op Fl t Ar life
++.Op Fl P Ar pkcs11_whitelist
+ .Op Ar command Op Ar arg ...
+ .Nm ssh-agent
+ .Op Fl c | s
+@@ -122,6 +123,18 @@
+ Kill the current agent (given by the
+ .Ev SSH_AGENT_PID
+ environment variable).
++.It Fl P
++Specify a pattern-list of acceptable paths for PKCS#11 shared libraries
++that may be added using the
++.Fl s
++option to
++.Xr ssh-add 1 .
++The default is to allow loading PKCS#11 libraries from
++.Dq /usr/lib/*,/usr/local/lib/* .
++PKCS#11 libraries that do not match the whitelist will be refused.
++See PATTERNS in
++.Xr ssh_config 5
++for a description of pattern-list syntax.
+ .It Fl s
+ Generate Bourne shell commands on
+ .Dv stdout .
+--- crypto/openssh/ssh-agent.c.orig
++++ crypto/openssh/ssh-agent.c
+@@ -84,11 +84,16 @@
+ #include "misc.h"
+ #include "digest.h"
+ #include "ssherr.h"
++#include "match.h"
+
+ #ifdef ENABLE_PKCS11
+ #include "ssh-pkcs11.h"
+ #endif
+
++#ifndef DEFAULT_PKCS11_WHITELIST
++# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
++#endif
++
+ #if defined(HAVE_SYS_PRCTL_H)
+ #include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
+ #endif
+@@ -140,6 +145,9 @@
+ char socket_name[PATH_MAX];
+ char socket_dir[PATH_MAX];
+
++/* PKCS#11 path whitelist */
++static char *pkcs11_whitelist;
++
+ /* locking */
+ #define LOCK_SIZE 32
+ #define LOCK_SALT_SIZE 16
+@@ -761,7 +769,7 @@
+ static void
+ process_add_smartcard_key(SocketEntry *e)
+ {
+- char *provider = NULL, *pin;
++ char *provider = NULL, *pin, canonical_provider[PATH_MAX];
+ int r, i, version, count = 0, success = 0, confirm = 0;
+ u_int seconds;
+ time_t death = 0;
+@@ -793,10 +801,21 @@
+ goto send;
+ }
+ }
++ if (realpath(provider, canonical_provider) == NULL) {
++ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
++ provider, strerror(errno));
++ goto send;
++ }
++ if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
++ verbose("refusing PKCS#11 add of \"%.100s\": "
++ "provider not whitelisted", canonical_provider);
++ goto send;
++ }
++ debug("%s: add %.100s", __func__, canonical_provider);
+ if (lifetime && !death)
+ death = monotime() + lifetime;
+
+- count = pkcs11_add_provider(provider, pin, &keys);
++ count = pkcs11_add_provider(canonical_provider, pin, &keys);
+ for (i = 0; i < count; i++) {
+ k = keys[i];
+ version = k->type == KEY_RSA1 ? 1 : 2;
+@@ -804,8 +823,8 @@
+ if (lookup_identity(k, version) == NULL) {
+ id = xcalloc(1, sizeof(Identity));
+ id->key = k;
+- id->provider = xstrdup(provider);
+- id->comment = xstrdup(provider); /* XXX */
++ id->provider = xstrdup(canonical_provider);
++ id->comment = xstrdup(canonical_provider); /* XXX */
+ id->death = death;
+ id->confirm = confirm;
+ TAILQ_INSERT_TAIL(&tab->idlist, id, next);
+@@ -1200,7 +1219,7 @@
+ {
+ fprintf(stderr,
+ "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
+- " [-t life] [command [arg ...]]\n"
++ " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
+ " ssh-agent [-c | -s] -k\n");
+ fprintf(stderr, " -x Exit when the last client disconnects.\n");
+ exit(1);
+@@ -1246,7 +1265,7 @@
+ __progname = ssh_get_progname(av[0]);
+ seed_rng();
+
+- while ((ch = getopt(ac, av, "cDdksE:a:t:x")) != -1) {
++ while ((ch = getopt(ac, av, "cDdksE:a:P:t:x")) != -1) {
+ switch (ch) {
+ case 'E':
+ fingerprint_hash = ssh_digest_alg_by_name(optarg);
+@@ -1261,6 +1280,11 @@
+ case 'k':
+ k_flag++;
+ break;
++ case 'P':
++ if (pkcs11_whitelist != NULL)
++ fatal("-P option already specified");
++ pkcs11_whitelist = xstrdup(optarg);
++ break;
+ case 's':
+ if (c_flag)
+ usage();
+@@ -1298,6 +1322,9 @@
+ if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
+ usage();
+
++ if (pkcs11_whitelist == NULL)
++ pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST);
++
+ if (ac == 0 && !c_flag && !s_flag) {
+ shell = getenv("SHELL");
+ if (shell != NULL && (len = strlen(shell)) > 2 &&
+@@ -1445,7 +1472,7 @@
+ signal(SIGTERM, cleanup_handler);
+ nalloc = 0;
+
+- if (pledge("stdio cpath unix id proc exec", NULL) == -1)
++ if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
+ fatal("%s: pledge: %s", __progname, strerror(errno));
+ platform_pledge_agent();
+
Added: head/share/security/patches/SA-17:01/openssh.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-17:01/openssh.patch.asc Wed Jan 11 06:07:42 2017 (r49830)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.16 (FreeBSD)
+
+iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlh1yvIACgkQ7Wfs1l3P
+aueENxAA2X3idqTkyums/ZHD7VJm1XKo+Nyoa1iGHjxcBpipjKfzvx7fSzHdNWLu
+wFVAr7XAqtpQF8EzkhzdrN/tGVOpc+qqQv4MwGPmG8SgOnRHIgbscOwIdeDixp40
+wMtLoP8QGxoYZlT7mPmkLqumtz+f22nO7BZCXOtY/f1e7weGBhoau1+s4ozHLpoA
+10dCHTmofGoWjSBVK/m25GZQ+dE4NjvLxTpysYq+ehDSfwRSn8fhYjqc98gEwz2q
+/FCtxT8wkrnRrCyIs7Wh4it76XhTZL/tXrTgtpZPBbyNkoNn40YJM9fs9EOZ2X+/
+N5f996ApeX6QHkALMjOwTpmPT9QfkJcqv3Q52ie9CaNQW2Eh/aHUWZywgUnoZcr1
+TfUm3uUTj9HQYS/IzdJHEuVZ/S4X2SEnVG/MtcVGWaKACL5ePRzo/wngV/IoM9x/
+yiW0MuzLRXEZPcO/oEcSLCsVzAv8FT4UBVEteIDyWKJAkLX0jAFMniiITAxxIMAa
+SHHHQPms7udVbBTXdbRbaWuMQFxVfeahTT0os0zLxBsGteKzFF1L69RvNx0dh8oY
+kJaFU93N5T1yoen2QEkoDqfYskIVsDzQpyNT9pS6pdZKXDwK2/y73XXmOD5jblp2
+5z3BNFdxoN647AAXr9+0TYm1Ax4TDoAmJlPOZroWPqJ0Bpoc4XI=
+=avDp
+-----END PGP SIGNATURE-----
Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml Tue Jan 10 23:08:09 2017 (r49829)
+++ head/share/xml/advisories.xml Wed Jan 11 06:07:42 2017 (r49830)
@@ -5,6 +5,22 @@
</cvs:keyword>
<year>
+ <name>2017</name>
+
+ <month>
+ <name>1</name>
+
+ <day>
+ <name>11</name>
+
+ <advisory>
+ <name>FreeBSD-SA-17:01.openssh</name>
+ </advisory>
+ </day>
+ </month>
+ </year>
+
+ <year>
<name>2016</name>
<month>
More information about the svn-doc-head
mailing list