Bug#984940: CVE-2021-28041

[Moritz Muehlenhoff]

Source: openssh
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <te...@security.debian.org>

Hi,
The following vulnerability was published for openssh.

CVE-2021-28041[0]:
| ssh-agent in OpenSSH before 8.5 has a double free that may be relevant
| in a few less-common scenarios, such as unconstrained agent-socket
| access on a legacy operating system, or the forwarding of an agent to
| an attacker-controlled host.

Buster is not affected. Isolated patch at:
https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db

Cheers,
Moritz

[Colin Watson]

On Wed, Mar 10, 2021 at 05:57:52PM +0100, Moritz Muehlenhoff wrote:
> The following vulnerability was published for openssh.
>
> CVE-2021-28041[0]:
> | ssh-agent in OpenSSH before 8.5 has a double free that may be relevant
> | in a few less-common scenarios, such as unconstrained agent-socket
> | access on a legacy operating system, or the forwarding of an agent to
> | an attacker-controlled host.
>
> Buster is not affected. Isolated patch at:
> https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db

This patch unfortunately doesn't apply terribly cleanly to OpenSSH
8.4p1, because it depends on some earlier refactoring, e.g.
37c70ea8d4f3664a88141bcdf0bf7a16bd5fd1ac.

If I understand the vulnerability correctly, then it seems to me that
the following shorter patch would fix it, and would run less risk of me
fouling something else up by backporting the refactoring wrongly:

diff --git a/ssh-agent.c b/ssh-agent.c
index e1fd1f3f6..b6ccbfb49 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -581,12 +581,14 @@ process_add_identity(SocketEntry *e)
goto err;
}
free(ext_name);
+ ext_name = NULL;
break;
default:
error("%s: Unknown constraint %d", __func__, ctype);
err:
free(sk_provider);
free(ext_name);
+ ext_name = NULL;
sshbuf_reset(e->request);
free(comment);
sshkey_free(k);

But I think I should probably check this with upstream before applying
it, so CCing openssh-unix-dev for review.

Thanks,

--
Colin Watson (he/him) [cjwa...@debian.org]

[Darren Tucker]

On Sat, 13 Mar 2021 at 10:01, Colin Watson <cjwa...@debian.org> wrote:
> This patch unfortunately doesn't apply terribly cleanly to OpenSSH

> 8.4p1, [...]

> If I understand the vulnerability correctly, then it seems to me that
> the following shorter patch would fix it, and would run less risk of me
> fouling something else up by backporting the refactoring wrongly:

There's a patch against 8.4 here:
https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/015_sshagent.patch.sig

It has the first of the two changes in your diff. The second is
harmless but unnecessary as it's on the exit path from the function
and there can't be a following call to free.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Colin Watson]

On Sat, Mar 13, 2021 at 02:55:48PM +1100, Darren Tucker wrote:
> On Sat, 13 Mar 2021 at 10:01, Colin Watson <cjwa...@debian.org> wrote:
> > This patch unfortunately doesn't apply terribly cleanly to OpenSSH
> > 8.4p1, [...]
> > If I understand the vulnerability correctly, then it seems to me that
> > the following shorter patch would fix it, and would run less risk of me
> > fouling something else up by backporting the refactoring wrongly:
>
> There's a patch against 8.4 here:
> https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/015_sshagent.patch.sig
>
> It has the first of the two changes in your diff. The second is
> harmless but unnecessary as it's on the exit path from the function
> and there can't be a following call to free.

Ah yes, indeed. I'll use that patch then.