[Bug 3675] New: CASignatureAlgorithms should be verified before verifying signatures

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=3675

            Bug ID: 3675
           Summary: CASignatureAlgorithms should be verified before
                    verifying signatures
           Product: Portable OpenSSH
           Version: 9.7p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: andres at anarazel.de

Hi,

The code injected in CVE-2024-3094 causes RSA_public_decrypt to be
redirected to a payload.  This is not reachable for normal pubkey
authentication without 
1) the key algorithm being of a permitted type
2) knowing at least the signature of a pubkey in authorized_keys etc

However, certificates are verified before such checks:
userauth_pubkey()
-> sshkey_from_blob()
-> sshkey_from_blob_internal()
-> cert_parse()
-> sshkey_verify(key->cert->signature_key)
-> ssh_rsa_verify() (or others, depending on cert type)
-> openssh_RSA_verify()
-> RSA_public_decrypt()

The signature algorithm *is* subsequently checked, but of course
RSA_public_decrypt has already been called by that point. 

Outside of CVE-2024-3094, which is not openssh's reponsibility, that is
not a correctness issue. But doing verification of signatures with
algorithms that are disabled still seems fairly suboptimal, increasing
the amount of code reachable without having any valid access.

Looks to me that an equivalent to checking in authorized_keys can't be
done before the verification, but checking CASignatureAlgorithms seems
entirely possible.

It might also be worth rejecting certificates without any validation if
the sshd is not configured to use CA based auth.


Regards,

Andres

-- 
You are receiving this mail because:
You are watching the assignee of the bug.