[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1061549: marked as done (bookworm-pu: package dropbear/2022.83-1+deb12u1)

Your message dated Sat, 10 Feb 2024 13:11:21 +0000
with message-id <E1rYn8b-002ycM-VA@coccia.debian.org>
and subject line Released with 12.5
has caused the Debian Bug report #1061549,
regarding bookworm-pu: package dropbear/2022.83-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1061549: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061549
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: dropbear@packages.debian.org
Control: affects -1 + src:dropbear

[ Reason ]

dropbear 2022.83-1 is vunerable to CVE-2023-48795 (terrapin attack).
https://terrapin-attack.com/

Based on https://bugs.debian.org/1059001 the security team argued this
didn't warrant a CVE, and suggested to go via s-pu instead.

[ Impact ]

Bookworm users will remain vulnerable to CVE-2023-48795.  Details about
what that entails has been discussed on the upstream bug tracker at
https://github.com/mkj/dropbear/issues/270 , where one the terrapin
finder wrote that

| While it is true that not sending server-sig-algs does not prevent the
| client from trying SHA2-based RSA signatures, we observed the suggested
| behavior (preferring SHA-1 over SHA-2 when server-sig-algs is missing)
| in a wide variety of SSH clients.  Also, the order of algorithms in
| server-sig-algs is used by some clients in case multiple private keys
| are present, potentially leading to downgrades as well.
|
| However, we do not consider this application of the Terrapin attack to
| have a significant impact.  Instead, our main concern is the combination
| of Terrapin with implementation bugs, as seen in AsyncSSH.  We evaluated
| only a handful of SSH implementations, where one already allowed for
| in-session man-in-the-middle attacks.  Given the wide variety of SSH
| implementations, one can estimate with sufficient probability that other
| implementations face similar issues.

[ Tests ]

I checked the updated dropbear SSHd/dbclient against the Terrapin
scanner.

[ Risks ]

Risk is low: the patch comes from upstream and applied cleanly (no
upstream version was released since Bookworm was released).

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

Implement Strict KEX mode to fix CVE-2023-48795 (terrapin attack).

-- 
Guilhem.

diffstat for dropbear-2022.83 dropbear-2022.83

 changelog                    |   11 ++
 patches/CVE-2023-48795.patch |  232 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 salsa-ci.yml                 |    8 +
 4 files changed, 252 insertions(+)

diff -Nru dropbear-2022.83/debian/changelog dropbear-2022.83/debian/changelog
--- dropbear-2022.83/debian/changelog	2022-11-14 22:16:35.000000000 +0100
+++ dropbear-2022.83/debian/changelog	2024-01-26 10:01:00.000000000 +0100
@@ -1,3 +1,14 @@
+dropbear (2022.83-1+deb12u1) bookworm; urgency=medium
+
+  * Fix CVE-2023-48795: (terrapin attack): The SSH transport protocol with
+    certain OpenSSH extensions allows remote attackers to bypass integrity
+    checks such that some packets are omitted (from the extension negotiation
+    message), and a client and server may consequently end up with a
+    connection for which some security features have been downgraded or
+    disabled, aka a Terrapin attack. (Closes: #1059001)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Fri, 26 Jan 2024 10:01:00 +0100
+
 dropbear (2022.83-1) unstable; urgency=medium
 
   * New upstream release 2022.83.  Support for ssh-dss (DSA) host and user
diff -Nru dropbear-2022.83/debian/patches/CVE-2023-48795.patch dropbear-2022.83/debian/patches/CVE-2023-48795.patch
--- dropbear-2022.83/debian/patches/CVE-2023-48795.patch	1970-01-01 01:00:00.000000000 +0100
+++ dropbear-2022.83/debian/patches/CVE-2023-48795.patch	2024-01-26 10:01:00.000000000 +0100
@@ -0,0 +1,232 @@
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Mon, 20 Nov 2023 14:02:47 +0800
+Subject: Implement Strict KEX mode
+
+As specified by OpenSSH with kex-strict-c-v00@openssh.com and
+kex-strict-s-v00@openssh.com.
+
+Origin: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-48795
+Bug-Debian: https://bugs.debian.org/1059001
+---
+ cli-session.c    | 11 +++++++++++
+ common-algo.c    |  6 ++++++
+ common-kex.c     | 26 +++++++++++++++++++++++++-
+ kex.h            |  3 +++
+ process-packet.c | 34 +++++++++++++++++++---------------
+ ssh.h            |  4 ++++
+ svr-session.c    |  3 +++
+ 7 files changed, 71 insertions(+), 16 deletions(-)
+
+diff --git a/cli-session.c b/cli-session.c
+index 5981b24..d261c8f 100644
+--- a/cli-session.c
++++ b/cli-session.c
+@@ -46,6 +46,7 @@ static void cli_finished(void) ATTRIB_NORETURN;
+ static void recv_msg_service_accept(void);
+ static void cli_session_cleanup(void);
+ static void recv_msg_global_request_cli(void);
++static void cli_algos_initialise(void);
+ 
+ struct clientsession cli_ses; /* GLOBAL */
+ 
+@@ -117,6 +118,7 @@ void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection
+ 	}
+ 
+ 	chaninitialise(cli_chantypes);
++	cli_algos_initialise();
+ 
+ 	/* Set up cli_ses vars */
+ 	cli_session_init(proxy_cmd_pid);
+@@ -487,3 +489,12 @@ void cli_dropbear_log(int priority, const char* format, va_list param) {
+ 	fflush(stderr);
+ }
+ 
++static void cli_algos_initialise(void) {
++	algo_type *algo;
++	for (algo = sshkex; algo->name; algo++) {
++		if (strcmp(algo->name, SSH_STRICT_KEX_S) == 0) {
++			algo->usable = 0;
++		}
++	}
++}
++
+diff --git a/common-algo.c b/common-algo.c
+index 378f0ca..f9d46eb 100644
+--- a/common-algo.c
++++ b/common-algo.c
+@@ -307,6 +307,12 @@ algo_type sshkex[] = {
+ 	/* Set unusable by svr_algos_initialise() */
+ 	{SSH_EXT_INFO_C, 0, NULL, 1, NULL},
+ #endif
++#endif
++#if DROPBEAR_CLIENT
++	{SSH_STRICT_KEX_C, 0, NULL, 1, NULL},
++#endif
++#if DROPBEAR_SERVER
++	{SSH_STRICT_KEX_S, 0, NULL, 1, NULL},
+ #endif
+ 	{NULL, 0, NULL, 0, NULL}
+ };
+diff --git a/common-kex.c b/common-kex.c
+index ac88442..8e33b12 100644
+--- a/common-kex.c
++++ b/common-kex.c
+@@ -183,6 +183,10 @@ void send_msg_newkeys() {
+ 	gen_new_keys();
+ 	switch_keys();
+ 
++	if (ses.kexstate.strict_kex) {
++		ses.transseq = 0;
++	}
++
+ 	TRACE(("leave send_msg_newkeys"))
+ }
+ 
+@@ -193,7 +197,11 @@ void recv_msg_newkeys() {
+ 
+ 	ses.kexstate.recvnewkeys = 1;
+ 	switch_keys();
+-	
++
++	if (ses.kexstate.strict_kex) {
++		ses.recvseq = 0;
++	}
++
+ 	TRACE(("leave recv_msg_newkeys"))
+ }
+ 
+@@ -550,6 +558,10 @@ void recv_msg_kexinit() {
+ 
+ 	ses.kexstate.recvkexinit = 1;
+ 
++	if (ses.kexstate.strict_kex && !ses.kexstate.donefirstkex && ses.recvseq != 1) {
++		dropbear_exit("First packet wasn't kexinit");
++	}
++
+ 	TRACE(("leave recv_msg_kexinit"))
+ }
+ 
+@@ -859,6 +871,18 @@ static void read_kex_algos() {
+ 	}
+ #endif
+ 
++	if (!ses.kexstate.donefirstkex) {
++		const char* strict_name;
++		if (IS_DROPBEAR_CLIENT) {
++			strict_name = SSH_STRICT_KEX_S;
++		} else {
++			strict_name = SSH_STRICT_KEX_C;
++		}
++		if (buf_has_algo(ses.payload, strict_name) == DROPBEAR_SUCCESS) {
++			ses.kexstate.strict_kex = 1;
++		}
++	}
++
+ 	algo = buf_match_algo(ses.payload, sshkex, kexguess2, &goodguess);
+ 	allgood &= goodguess;
+ 	if (algo == NULL || algo->data == NULL) {
+diff --git a/kex.h b/kex.h
+index 77cf21a..7fcc3c2 100644
+--- a/kex.h
++++ b/kex.h
+@@ -83,6 +83,9 @@ struct KEXState {
+ 
+ 	unsigned our_first_follows_matches : 1;
+ 
++	/* Boolean indicating that strict kex mode is in use */
++	unsigned int strict_kex;
++
+ 	time_t lastkextime; /* time of the last kex */
+ 	unsigned int datatrans; /* data transmitted since last kex */
+ 	unsigned int datarecv; /* data received since last kex */
+diff --git a/process-packet.c b/process-packet.c
+index 9454160..133a152 100644
+--- a/process-packet.c
++++ b/process-packet.c
+@@ -44,6 +44,7 @@ void process_packet() {
+ 
+ 	unsigned char type;
+ 	unsigned int i;
++	unsigned int first_strict_kex = ses.kexstate.strict_kex && !ses.kexstate.donefirstkex;
+ 	time_t now;
+ 
+ 	TRACE2(("enter process_packet"))
+@@ -54,22 +55,24 @@ void process_packet() {
+ 	now = monotonic_now();
+ 	ses.last_packet_time_keepalive_recv = now;
+ 
+-	/* These packets we can receive at any time */
+-	switch(type) {
+ 
+-		case SSH_MSG_IGNORE:
+-			goto out;
+-		case SSH_MSG_DEBUG:
+-			goto out;
++	if (type == SSH_MSG_DISCONNECT) {
++		/* Allowed at any time */
++		dropbear_close("Disconnect received");
++	}
+ 
+-		case SSH_MSG_UNIMPLEMENTED:
+-			/* debugging XXX */
+-			TRACE(("SSH_MSG_UNIMPLEMENTED"))
+-			goto out;
+-			
+-		case SSH_MSG_DISCONNECT:
+-			/* TODO cleanup? */
+-			dropbear_close("Disconnect received");
++	/* These packets may be received at any time,
++	   except during first kex with strict kex */
++	if (!first_strict_kex) {
++		switch(type) {
++			case SSH_MSG_IGNORE:
++				goto out;
++			case SSH_MSG_DEBUG:
++				goto out;
++			case SSH_MSG_UNIMPLEMENTED:
++				TRACE(("SSH_MSG_UNIMPLEMENTED"))
++				goto out;
++		}
+ 	}
+ 
+ 	/* Ignore these packet types so that keepalives don't interfere with
+@@ -98,7 +101,8 @@ void process_packet() {
+ 			if (type >= 1 && type <= 49
+ 				&& type != SSH_MSG_SERVICE_REQUEST
+ 				&& type != SSH_MSG_SERVICE_ACCEPT
+-				&& type != SSH_MSG_KEXINIT)
++				&& type != SSH_MSG_KEXINIT
++				&& !first_strict_kex)
+ 			{
+ 				TRACE(("unknown allowed packet during kexinit"))
+ 				recv_unimplemented();
+diff --git a/ssh.h b/ssh.h
+index 1b4fec6..ef3efdc 100644
+--- a/ssh.h
++++ b/ssh.h
+@@ -100,6 +100,10 @@
+ #define SSH_EXT_INFO_C "ext-info-c"
+ #define SSH_SERVER_SIG_ALGS "server-sig-algs"
+ 
++/* OpenSSH strict KEX feature */
++#define SSH_STRICT_KEX_S "kex-strict-s-v00@openssh.com"
++#define SSH_STRICT_KEX_C "kex-strict-c-v00@openssh.com"
++
+ /* service types */
+ #define SSH_SERVICE_USERAUTH "ssh-userauth"
+ #define SSH_SERVICE_USERAUTH_LEN 12
+diff --git a/svr-session.c b/svr-session.c
+index 769f073..a538e2c 100644
+--- a/svr-session.c
++++ b/svr-session.c
+@@ -370,6 +370,9 @@ static void svr_algos_initialise(void) {
+ 			algo->usable = 0;
+ 		}
+ #endif
++		if (strcmp(algo->name, SSH_STRICT_KEX_C) == 0) {
++			algo->usable = 0;
++		}
+ 	}
+ }
+ 
diff -Nru dropbear-2022.83/debian/patches/series dropbear-2022.83/debian/patches/series
--- dropbear-2022.83/debian/patches/series	2022-11-14 22:16:35.000000000 +0100
+++ dropbear-2022.83/debian/patches/series	2024-01-26 10:01:00.000000000 +0100
@@ -1,3 +1,4 @@
 fix-FTBFS-on-hurd-i386.patch
 support-running-test_aslr-without-venv.patch
 raise-connection-delay-in-tests.patch
+CVE-2023-48795.patch
diff -Nru dropbear-2022.83/debian/salsa-ci.yml dropbear-2022.83/debian/salsa-ci.yml
--- dropbear-2022.83/debian/salsa-ci.yml	1970-01-01 01:00:00.000000000 +0100
+++ dropbear-2022.83/debian/salsa-ci.yml	2024-01-26 10:01:00.000000000 +0100
@@ -0,0 +1,8 @@
+---
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+  RELEASE: 'bookworm'
+  SALSA_CI_DISABLE_REPROTEST: 1
+  SALSA_CI_DISABLE_LINTIAN: 1

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 12.5

The upload requested in this bug has been released as part of 12.5.

--- End Message ---
Reply to: