Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.1975.2
OpenSSH multiple vulnerabilities
31 July 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: openssh
Publisher: FreeBSD
Operating System: FreeBSD
Impact/Access: Provide Misleading Information -- Remote with User Interaction
Reduced Security -- Remote/Unauthenticated
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2015-5600 CVE-2014-2653
Reference: ESB-2015.0512
ESB-2014.2130
ESB-2014.1842
ESB-2014.0997
ESB-2014.0444
Original Bulletin:
https://security.FreeBSD.org/advisories/FreeBSD-SA-15:16.openssh.asc
Revision History: July 31 2015: Revised patch for FreeBSD 8.x to address regression when keyboard interactive authentication is used
July 29 2015: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:16.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH multiple vulnerabilities
Category: contrib
Module: openssh
Announced: 2015-07-28, revised on 2015-07-30
Affects: All supported versions of FreeBSD.
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
2015-07-30 10:09:07 UTC (stable/8, 8.4-STABLE)
2015-07-30 10:09:31 UTC (releng/8.4, 8.4-RELEASE-p36)
CVE Name: CVE-2014-2653, CVE-2015-5600
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
0. Revision history
v1.0 2015-02-25 Initial release.
v1.1 2015-07-30 Revised patch for FreeBSD 8.x to address regression when
keyboard interactive authentication is used.
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a variety of services,
including remote shell access.
The security of the SSH connection relies on the server authenticating
itself to the client as well as the user authenticating itself to the
server. SSH servers uses host keys to verify their identity.
RFC 4255 has defined a method of verifying SSH host keys using Domain
Name System Security (DNSSEC), by publishing the key fingerprint using
DNS with "SSHFP" resource record. RFC 6187 has defined methods to use
a signature by a trusted certification authority to bind a given public
key to a given digital identity with X.509v3 certificates.
The PAM (Pluggable Authentication Modules) library provides a flexible
framework for user authentication and session setup / teardown.
OpenSSH uses PAM for password authentication by default.
II. Problem Description
OpenSSH clients does not correctly verify DNS SSHFP records when a server
offers a certificate. [CVE-2014-2653]
OpenSSH servers which are configured to allow password authentication
using PAM (default) would allow many password attempts.
III. Impact
A malicious server may be able to force a connecting client to skip DNS
SSHFP record check and require the user to perform manual host verification
of the host key fingerprint. This could allow man-in-the-middle attack
if the user does not carefully check the fingerprint. [CVE-2014-2653]
A remote attacker may effectively bypass MaxAuthTries settings, which would
enable them to brute force passwords. [CVE-2015-5600]
IV. Workaround
Systems that do not use OpenSSH are not affected.
There is no workaround for CVE-2014-2653, but the problem only affects
networks where DNSsec and SSHFP is properly configured. Users who uses
SSH should always check server host key fingerprints carefully when
prompted.
System administrators can set:
UsePAM no
In their /etc/ssh/sshd_config and restart sshd service to workaround the
problem described as CVE-2015-5600 at expense of losing features provided
by the PAM framework.
We recommend system administrators to disable password based authentication
completely, and use key based authentication exclusively in their SSH server
configuration, when possible. This would eliminate the possibility of being
ever exposed to password brute force attack.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
SSH service has to be restarted after the update. A reboot is recommended
but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
SSH service has to be restarted after the update. A reboot is recommended
but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.3, 10.1, 10.2]
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc
# gpg --verify openssh.patch.asc
[FreeBSD 8.4]
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc
# gpg --verify openssh-8.patch.asc
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patc
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patch.asc
# gpg --verify openssh-8-errata.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the SSH service, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- - -------------------------------------------------------------------------
stable/8/ r286067
releng/8.4/ r286068
stable/9/ r285977
releng/9.3/ r285980
stable/10/ r285976
releng/10.1/ r285979
releng/10.2/ r285978
- - -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:16.openssh.asc>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAEBCgAGBQJVufuCAAoJEO1n7NZdz2rnHHAQALfjXH/WyrgpHxw1YFipwFSD
bl+HLbdvMVbfBxLV7eVBK9RPQiyoxwocmU0uMdiNEIWt2llczTLEl/wtUjj6f4Ko
K6E7AAOgOX4zdQxBd2502FvXC1oNbDEvK8X3M4MzPHAG4QRgXNffRGYvClmbayck
2i+bjcHdKAEwFJjHk4wXOQ0yhdF6Q36bH0N3kPV9z7sAt3tuzSWhvtX6QQSyeuCJ
ie2db9CdSUnFhYELJnVMpVTf3ppMqUT6QEe45LmsGA6F8yWdMaW2vtMdJq6xFVYP
INCUVyOlDRu0TibjLUpXu4KugeDgyTXy9oz4SRdnpcUWz33fM6aSgOkpiM1h05ja
BJrs0HZbkjCwtD+8a0buoyIKb9NBIsDKbrec5g8AEDkAHjRzraLGAXUYwkFeyqYJ
j+ll5r5iu5fc4s8QM+ySlGCW8V9Ix8FX7Rr7FhAWLSKEldDsnCRjG4EfrAcd1HiC
PleAnLv4uKwfSugIBIEs5ls7+TzWytW8nnEpMEerXUD894suFIycOT6eoUYF/CCT
I1nHWSITw4HSj8+wBvrhxwZCRqIMOAZB+3jzrwRE+QZkghoWnPnqrCn9uLkdndq5
ewgz6PiuYC8Zx0Z6trA72oV+XjTKu2d6eO5tRpe9aAmhPmfBWg3fXYltVzTzF9IE
r0z98qmTEPiTDi8dr+K/
=GsXJ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVbroGn6ZAP0PgtI9AQK+Wg/+Oc5gXXzYbaargHN7ThBM4tlpDuhYiYvA
OcOz5SI3eD4aHOUyE6ojwfIclCvV+EUyjZpmLlxwzHiuqTqA6vIgJ1QFGnqT5589
9ZOKfc5QFcTfMqYndiJNNuSCQim1G3/yA715jZZLUc0N+lAVVOXomkH0E7aSaqmN
AbpvVx/IIHvaMmmOeDTygXRBngVyvtYL/5Vxu9Bd3wR8lnDC2t7SwbPvqcDQxFGn
6YnmsaZlksJIn7roQxDV8HI03gTGz5m0hTEiid31UpvkSeOSuqqwrsil1307xJNd
LKq+z6+3/3MuPFn0IoB2FW/K3+6Mu+wMhYHapE/QHZmrARZur7jFRal2nQLu0VYE
FrXYW+6LO30Zae5xkkDkpKl+RoedL27REZnh82ohlMwp8ZCEIe3utvZ+J0jK6/9J
3f1wIyBrwnKnAQ9mVpkzpzLS8FfLx0rdIAEAzESLictQInGzBGxaUMbXbR/8rF0T
eAE51YOm412v3ofUZ7nE1pyoTgwJNu6s6nZVsH0b28gkCzbcG4QkDxvokwcfia3o
Lu4SUp+OS+VWVl/pOa2IAwPIaR+5MLMiS3fmJvd5XRJUGlapY5dGswzG9QgSEW1m
6idAc79nxfIePbUZx7w/yp1avYUGPGul5Hoy74LQOPLavv+nt68RcZPtliWR41cH
GbfS4gh8zuM=
=LNj0
-----END PGP SIGNATURE-----