From djm at cvs.openbsd.org Fri Feb 4 12:24:00 2011 From: djm at cvs.openbsd.org (Damien Miller) Date: Thu, 3 Feb 2011 18:24:00 -0700 (MST) Subject: [openssh-unix-announce] OpenSSH security advisory: legacy certificate signing in 5.6/5.7 Message-ID: <201102040124.p141O0jb020743@cvs.openbsd.org> OpenSSH Security Advisory: legacy-certs.adv This document may be found at: http://www.openssh.com/txt/legacy-cert.adv 1. Vulnerability Legacy certificates generated by OpenSSH might contain data from the stack thus leaking confidential information. 2. Affected configurations OpenSSH 5.6 and OpenSSH 5.7 only when generating legacy certificates. These must be specifically requested using the "-t" option on the ssh-keygen CA command-line. 3. Mitigation Avoid generating legacy certificates using OpenSSH 5.6 or 5.7 If legacy certificates have been issued with a vulnerable OpenSSH version, consider rotating any CA key used. 4. Details When generating legacy *-cert-v00 at openssh.com certificates, the nonce field was not being correctly filled with random data but was left uninitialised, containing the contents of the stack. The contents of the stack at this point in ssh-keygen's execution do not appear to leak the CA private key or other sensitive data, but this possibility cannot be excluded on all platforms and library versions. If certificates are generated using user-specified contents (as opposed to the CA specifying all fields) then they will be less resistant to hash collision attacks. Fortunately, such attacks are not currently considered practical for the SHA family of hashes used to sign these certificates. 5. Credit This issue was privately reported by Mateusz Kocielski on January 26, 2011. 6. Fix OpenSSH 5.8 contains a fix for this vulnerability. Users who prefer to continue to use OpenSSH 5.6 or 5.7 may apply this patch: Index: key.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/key.c,v retrieving revision 1.95 diff -u -r1.95 key.c --- key.c 10 Nov 2010 01:33:07 -0000 1.95 +++ key.c 3 Feb 2011 06:52:33 -0000 @@ -1823,8 +1823,8 @@ buffer_put_cstring(&k->cert->certblob, key_ssh_name(k)); /* -v01 certs put nonce first */ + arc4random_buf(&nonce, sizeof(nonce)); if (!key_cert_is_legacy(k)) { - arc4random_buf(&nonce, sizeof(nonce)); buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); } From djm at cvs.openbsd.org Fri Feb 4 12:25:17 2011 From: djm at cvs.openbsd.org (Damien Miller) Date: Thu, 3 Feb 2011 18:25:17 -0700 (MST) Subject: [openssh-unix-announce] Announce: OpenSSH 5.8 released Message-ID: <201102040125.p141PHR1029846@cvs.openbsd.org> OpenSSH 5.8 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Changes since OpenSSH 5.7 ========================= Security: * Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6 and found by Mateusz Kocielski. Legacy certificates signed by OpenSSH 5.6 or 5.7 included data from the stack in place of a random nonce field. The contents of the stack do not appear to contain private data at this point, but this cannot be stated with certainty for all platform, library and compiler combinations. In particular, there exists a risk that some bytes from the privileged CA key may be accidentally included. A full advisory for this issue is available at: http://www.openssh.com/txt/legacy-cert.adv Portable OpenSSH Bugfixes: * Fix compilation failure when enableing SELinux support. * Do not attempt to call SELinux functions when SELinux is disabled. bz#1851 Checksums: ========== - SHA1 (openssh-5.8.tar.gz) = 205dece2c8b41c69b082eb65320d359987aae25b - SHA1 (openssh-5.8p1.tar.gz) = adebb2faa9aba2a3a3c8b401b2b19677ab53f0de Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.