Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1975.2 OpenSSH multiple vulnerabilities 31 July 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openssh Publisher: FreeBSD Operating System: FreeBSD Impact/Access: Provide Misleading Information -- Remote with User Interaction Reduced Security -- Remote/Unauthenticated Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-5600 CVE-2014-2653 Reference: ESB-2015.0512 ESB-2014.2130 ESB-2014.1842 ESB-2014.0997 ESB-2014.0444 Original Bulletin: https://security.FreeBSD.org/advisories/FreeBSD-SA-15:16.openssh.asc Revision History: July 31 2015: Revised patch for FreeBSD 8.x to address regression when keyboard interactive authentication is used July 29 2015: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:16.openssh Security Advisory The FreeBSD Project Topic: OpenSSH multiple vulnerabilities Category: contrib Module: openssh Announced: 2015-07-28, revised on 2015-07-30 Affects: All supported versions of FreeBSD. Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) 2015-07-30 10:09:07 UTC (stable/8, 8.4-STABLE) 2015-07-30 10:09:31 UTC (releng/8.4, 8.4-RELEASE-p36) CVE Name: CVE-2014-2653, CVE-2015-5600 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. 0. Revision history v1.0 2015-02-25 Initial release. v1.1 2015-07-30 Revised patch for FreeBSD 8.x to address regression when keyboard interactive authentication is used. I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. The security of the SSH connection relies on the server authenticating itself to the client as well as the user authenticating itself to the server. SSH servers uses host keys to verify their identity. RFC 4255 has defined a method of verifying SSH host keys using Domain Name System Security (DNSSEC), by publishing the key fingerprint using DNS with "SSHFP" resource record. RFC 6187 has defined methods to use a signature by a trusted certification authority to bind a given public key to a given digital identity with X.509v3 certificates. The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. OpenSSH uses PAM for password authentication by default. II. Problem Description OpenSSH clients does not correctly verify DNS SSHFP records when a server offers a certificate. [CVE-2014-2653] OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts. III. Impact A malicious server may be able to force a connecting client to skip DNS SSHFP record check and require the user to perform manual host verification of the host key fingerprint. This could allow man-in-the-middle attack if the user does not carefully check the fingerprint. [CVE-2014-2653] A remote attacker may effectively bypass MaxAuthTries settings, which would enable them to brute force passwords. [CVE-2015-5600] IV. Workaround Systems that do not use OpenSSH are not affected. There is no workaround for CVE-2014-2653, but the problem only affects networks where DNSsec and SSHFP is properly configured. Users who uses SSH should always check server host key fingerprints carefully when prompted. System administrators can set: UsePAM no In their /etc/ssh/sshd_config and restart sshd service to workaround the problem described as CVE-2015-5600 at expense of losing features provided by the PAM framework. We recommend system administrators to disable password based authentication completely, and use key based authentication exclusively in their SSH server configuration, when possible. This would eliminate the possibility of being ever exposed to password brute force attack. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. SSH service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install SSH service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.3, 10.1, 10.2] # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc # gpg --verify openssh.patch.asc [FreeBSD 8.4] # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc # gpg --verify openssh-8.patch.asc # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patc # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patch.asc # gpg --verify openssh-8-errata.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the SSH service, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - ------------------------------------------------------------------------- stable/8/ r286067 releng/8.4/ r286068 stable/9/ r285977 releng/9.3/ r285980 stable/10/ r285976 releng/10.1/ r285979 releng/10.2/ r285978 - - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:16.openssh.asc> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVufuCAAoJEO1n7NZdz2rnHHAQALfjXH/WyrgpHxw1YFipwFSD bl+HLbdvMVbfBxLV7eVBK9RPQiyoxwocmU0uMdiNEIWt2llczTLEl/wtUjj6f4Ko K6E7AAOgOX4zdQxBd2502FvXC1oNbDEvK8X3M4MzPHAG4QRgXNffRGYvClmbayck 2i+bjcHdKAEwFJjHk4wXOQ0yhdF6Q36bH0N3kPV9z7sAt3tuzSWhvtX6QQSyeuCJ ie2db9CdSUnFhYELJnVMpVTf3ppMqUT6QEe45LmsGA6F8yWdMaW2vtMdJq6xFVYP INCUVyOlDRu0TibjLUpXu4KugeDgyTXy9oz4SRdnpcUWz33fM6aSgOkpiM1h05ja BJrs0HZbkjCwtD+8a0buoyIKb9NBIsDKbrec5g8AEDkAHjRzraLGAXUYwkFeyqYJ j+ll5r5iu5fc4s8QM+ySlGCW8V9Ix8FX7Rr7FhAWLSKEldDsnCRjG4EfrAcd1HiC PleAnLv4uKwfSugIBIEs5ls7+TzWytW8nnEpMEerXUD894suFIycOT6eoUYF/CCT I1nHWSITw4HSj8+wBvrhxwZCRqIMOAZB+3jzrwRE+QZkghoWnPnqrCn9uLkdndq5 ewgz6PiuYC8Zx0Z6trA72oV+XjTKu2d6eO5tRpe9aAmhPmfBWg3fXYltVzTzF9IE r0z98qmTEPiTDi8dr+K/ =GsXJ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVbroGn6ZAP0PgtI9AQK+Wg/+Oc5gXXzYbaargHN7ThBM4tlpDuhYiYvA OcOz5SI3eD4aHOUyE6ojwfIclCvV+EUyjZpmLlxwzHiuqTqA6vIgJ1QFGnqT5589 9ZOKfc5QFcTfMqYndiJNNuSCQim1G3/yA715jZZLUc0N+lAVVOXomkH0E7aSaqmN AbpvVx/IIHvaMmmOeDTygXRBngVyvtYL/5Vxu9Bd3wR8lnDC2t7SwbPvqcDQxFGn 6YnmsaZlksJIn7roQxDV8HI03gTGz5m0hTEiid31UpvkSeOSuqqwrsil1307xJNd LKq+z6+3/3MuPFn0IoB2FW/K3+6Mu+wMhYHapE/QHZmrARZur7jFRal2nQLu0VYE FrXYW+6LO30Zae5xkkDkpKl+RoedL27REZnh82ohlMwp8ZCEIe3utvZ+J0jK6/9J 3f1wIyBrwnKnAQ9mVpkzpzLS8FfLx0rdIAEAzESLictQInGzBGxaUMbXbR/8rF0T eAE51YOm412v3ofUZ7nE1pyoTgwJNu6s6nZVsH0b28gkCzbcG4QkDxvokwcfia3o Lu4SUp+OS+VWVl/pOa2IAwPIaR+5MLMiS3fmJvd5XRJUGlapY5dGswzG9QgSEW1m 6idAc79nxfIePbUZx7w/yp1avYUGPGul5Hoy74LQOPLavv+nt68RcZPtliWR41cH GbfS4gh8zuM= =LNj0 -----END PGP SIGNATURE-----