From djm at openbsd.org Thu Mar 10 23:10:52 2016 From: djm at openbsd.org (Damien Miller) Date: Thu, 10 Mar 2016 05:10:52 -0700 (MST) Subject: [openssh-unix-announce] OpenSSH Security Advisory: xauth command injection Message-ID: OpenSSH Security Advisory: x11fwd.adv This document may be found at: http://www.openssh.com/txt/x11fwd.adv 1. Affected configurations All versions of OpenSSH prior to 7.2p2 with X11Forwarding enabled. 2. Vulnerability Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1). Injection of xauth commands grants the ability to read arbitrary files under the authenticated user's privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth(1), which was not written with a hostile user in mind, as an attack surface. xauth(1) is run under the user's privilege, so this vulnerability offers no additional access to unrestricted accounts, but could circumvent key or account restrictions such as sshd_config ForceCommand, authorized_keys command="..." or restricted shells. 3. Mitigation Set X11Forwarding=no in sshd_config. This is the default. For authorized_keys that specify a "command" restriction, also set the "restrict" (available in OpenSSH >=7.2) or "no-x11-forwarding" restrictions. 4. Details As part of establishing an X11 forwarding session, sshd(8) accepts an X11 authentication credential from the client. This credential is supplied to the xauth(1) utility to establish it for X11 applications that the user subsequently runs. The contents of the credential's components (authentication scheme and credential data) were not sanitised to exclude meta-characters such as newlines. An attacker could therefore supply a credential that injected commands to xauth(1). The attacker could then use a number of xauth commands to read or overwrite arbitrary files subject to file permissions, connect to local ports or perform attacks on xauth(1) itself. OpenSSH 7.2p2 implements a whitelist of characters that are permitted to appear in X11 authentication credentials. 5. Credit This issue was identified by github.com/tintinweb and communicated to the OpenSSH developers on March 3rd, 2016. 6. Fix Portable OpenSSH 7.2p2 contains a fix for this vulnerability. Patches for supported OpenBSD releases (5.7, 5.8 and 5.9) have been committed to the -STABLE branches and are available on the errata pages: http://www.openbsd.org/errata57.html http://www.openbsd.org/errata58.html http://www.openbsd.org/errata59.html From djm at openbsd.org Thu Mar 10 23:12:01 2016 From: djm at openbsd.org (Damien Miller) Date: Thu, 10 Mar 2016 05:12:01 -0700 (MST) Subject: [openssh-unix-announce] Announce: Portable OpenSSH 7.2p2 released Message-ID: Portable OpenSSH 7.2p2 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. OpenSSH also includes transitional support for the legacy SSH 1.3 and 1.5 protocols that may be enabled at compile-time. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Changes since OpenSSH 7.2p1 =========================== This release fixes a security bug: * sshd(8): sanitise X11 authentication credentials to avoid xauth command injection when X11Forwarding is enabled. Full details of the vulnerability are available at: http://www.openssh.com/txt/x11fwd.adv Checksums: ========== - SHA1 (openssh-7.2p2.tar.gz) = 70e35d7d6386fe08abbd823b3a12a3ca44ac6d38 - SHA256 (openssh-7.2p2.tar.gz) = pyeB0aBDh2oiT/GwAy2qQJTYdWWmhSh1nBwsq1SCVIw= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available as RELEASE_KEY.asc from the mirror sites. Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.