Announce: OpenSSH 9.3p2 released
53 views
Skip to first unread message
Damien Miller
Jul 19, 2023, 1:38:49 PM7/19/23
to openssh-...@mindrot.org
OpenSSH 9.3p2 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html
Changes since OpenSSH 9.3
=========================
This release fixes a security bug.
Security
========
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
* Remote exploitation requires that the agent was forwarded
to an attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.
This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.
In addition to removing the main precondition for exploitation,
this release removes the ability for remote ssh-agent(1) clients
to load PKCS#11 modules by default (see below).
Potentially-incompatible changes
--------------------------------
* ssh-agent(8): the agent will now refuse requests to load PKCS#11
modules issued by remote clients by default. A flag has been added
to restore the previous behaviour "-Oallow-remote-pkcs11".
Note that ssh-agent(8) depends on the SSH client to identify
requests that are remote. The OpenSSH >=8.9 ssh(1) client does
this, but forwarding access to an agent socket using other tools
may circumvent this restriction.
Checksums:
==========
- SHA1 (openssh-9.3p2.tar.gz) = 219cf700c317f400bb20b001c0406056f7188ea4
- SHA256 (openssh-9.3p2.tar.gz) = IA6+FH9ss/EB/QzfngJEKvfdyimN/9n0VoeOfMrGdug=
Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
Reporting Bugs:
===============
- Please read https://www.openssh.com/report.html
Security bugs should be reported directly to ope...@openssh.com
mirrors listed at https://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html
Changes since OpenSSH 9.3
=========================
This release fixes a security bug.
Security
========
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
* Remote exploitation requires that the agent was forwarded
to an attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.
This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.
In addition to removing the main precondition for exploitation,
this release removes the ability for remote ssh-agent(1) clients
to load PKCS#11 modules by default (see below).
Potentially-incompatible changes
--------------------------------
* ssh-agent(8): the agent will now refuse requests to load PKCS#11
modules issued by remote clients by default. A flag has been added
to restore the previous behaviour "-Oallow-remote-pkcs11".
Note that ssh-agent(8) depends on the SSH client to identify
requests that are remote. The OpenSSH >=8.9 ssh(1) client does
this, but forwarding access to an agent socket using other tools
may circumvent this restriction.
Checksums:
==========
- SHA1 (openssh-9.3p2.tar.gz) = 219cf700c317f400bb20b001c0406056f7188ea4
- SHA256 (openssh-9.3p2.tar.gz) = IA6+FH9ss/EB/QzfngJEKvfdyimN/9n0VoeOfMrGdug=
Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
Reporting Bugs:
===============
- Please read https://www.openssh.com/report.html
Security bugs should be reported directly to ope...@openssh.com
Dmitry Belyavskiy
Jul 19, 2023, 5:02:20 PM7/19/23
to openssh-...@mindrot.org
Dear Damien,
Could you please clarify which versions are vulnerable?
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-...@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
--
Dmitry Belyavskiy
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Christoph Anton Mitterer
Jul 19, 2023, 5:10:22 PM7/19/23
to openssh-...@mindrot.org
Hey.
On Wed, 2023-07-19 at 08:40 -0600, Damien Miller wrote:
> via a forwarded agent socket if the following
> conditions are met:
I assume this also means that when:
ForwardAgent=no
respectively:
-a
is used, one is not vulnerable?
Thanks,
Chris.
On Wed, 2023-07-19 at 08:40 -0600, Damien Miller wrote:
> via a forwarded agent socket if the following
> conditions are met:
ForwardAgent=no
respectively:
-a
is used, one is not vulnerable?
Thanks,
Chris.
Damien Miller
Jul 19, 2023, 9:56:13 PM7/19/23
to Dmitry Belyavskiy, openssh-...@mindrot.org
On Wed, 19 Jul 2023, Dmitry Belyavskiy wrote:
> Dear Damien,
>
> Could you please clarify which versions are vulnerable?
Damien Miller
Jul 19, 2023, 10:06:37 PM7/19/23
to Christoph Anton Mitterer, openssh-...@mindrot.org
On Wed, 19 Jul 2023, Christoph Anton Mitterer wrote:
> Hey.
>
> On Wed, 2023-07-19 at 08:40 -0600, Damien Miller wrote:
> > via a forwarded agent socket if the following
> > conditions are met:
>
> I assume this also means that when:
> ForwardAgent=no
> respectively:
> -a
> is used, one is not vulnerable?
You'd still be vulnerable to a local attack if they could get past the
> Hey.
>
> On Wed, 2023-07-19 at 08:40 -0600, Damien Miller wrote:
> > via a forwarded agent socket if the following
> > conditions are met:
>
> I assume this also means that when:
> ForwardAgent=no
> respectively:
> -a
> is used, one is not vulnerable?
filesystem permissions, however this is highly unlikely.
I'd recommend the workaround in the release notes though.
Nico Kadel-Garcia
Jul 19, 2023, 10:37:38 PM7/19/23
to Damien Miller, Christoph Anton Mitterer, openssh-...@mindrot.org
On Wed, Jul 19, 2023 at 10:07 PM Damien Miller <d...@mindrot.org> wrote:
>
> On Wed, 19 Jul 2023, Christoph Anton Mitterer wrote:
>
> > Hey.
> >
> > On Wed, 2023-07-19 at 08:40 -0600, Damien Miller wrote:
> > > via a forwarded agent socket if the following
> > > conditions are met:
> >
> > I assume this also means that when:
> > ForwardAgent=no
> > respectively:
> > -a
> > is used, one is not vulnerable?
>
> You'd still be vulnerable to a local attack if they could get past the
> filesystem permissions, however this is highly unlikely.
>
> I'd recommend the workaround in the release notes though.
>
> On Wed, 19 Jul 2023, Christoph Anton Mitterer wrote:
>
> > Hey.
> >
> > On Wed, 2023-07-19 at 08:40 -0600, Damien Miller wrote:
> > > via a forwarded agent socket if the following
> > > conditions are met:
> >
> > I assume this also means that when:
> > ForwardAgent=no
> > respectively:
> > -a
> > is used, one is not vulnerable?
>
> You'd still be vulnerable to a local attack if they could get past the
> filesystem permissions, however this is highly unlikely.
>
> I'd recommend the workaround in the release notes though.
Disabling agent forwarding is recommended on a lot of systems.
Permitting agent forwarding is *extremely* useful for jump points,
intermediate exposed systems where you might want to use one
credential to log into the jump point, and another private key to
connect to another system, but don't want to install your private key
on the jump point myself.
Stuart Henderson
Jul 20, 2023, 1:42:45 AM7/20/23
to Nico Kadel-Garcia, Damien Miller, Christoph Anton Mitterer, openssh-...@mindrot.org
On 2023/07/19 22:14, Nico Kadel-Garcia wrote:
> Disabling agent forwarding is recommended on a lot of systems.
> Permitting agent forwarding is *extremely* useful for jump points,
> intermediate exposed systems where you might want to use one
> credential to log into the jump point, and another private key to
> connect to another system, but don't want to install your private key
> on the jump point myself.
This is probably a good time to consider whether old agent-forwarding
> Disabling agent forwarding is recommended on a lot of systems.
> Permitting agent forwarding is *extremely* useful for jump points,
> intermediate exposed systems where you might want to use one
> credential to log into the jump point, and another private key to
> connect to another system, but don't want to install your private key
> on the jump point myself.
configurations can be replaced with ProxyJump / ssh -J.
Corinna Vinschen
Jul 20, 2023, 6:21:29 AM7/20/23
to Damien Miller, openssh-...@mindrot.org
Hi Damien,
Can you please add a V_9_3_P2 tag?
Thanks,
Corinna
> _______________________________________________
Damien Miller
Jul 20, 2023, 7:06:51 PM7/20/23
to openssh-...@mindrot.org
done (I did tag, just forgot to push it)
On Thu, 20 Jul 2023, Corinna Vinschen wrote:
> Hi Damien,
>
> Can you please add a V_9_3_P2 tag?
On Thu, 20 Jul 2023, Corinna Vinschen wrote:
> Hi Damien,
>
> Can you please add a V_9_3_P2 tag?
Corinna Vinschen
Jul 21, 2023, 4:30:10 AM7/21/23
to openssh-...@mindrot.org
On Jul 21 09:04, Damien Miller wrote:
> done (I did tag, just forgot to push it)
Great, thanks!
> done (I did tag, just forgot to push it)
Corinna
Dmitry Belyavskiy
Jul 21, 2023, 4:38:46 AM7/21/23
to Damien Miller, openssh-...@mindrot.org
On Thu, Jul 20, 2023 at 3:53 AM Damien Miller <d...@mindrot.org> wrote:
>
>
>
> On Wed, 19 Jul 2023, Dmitry Belyavskiy wrote:
>
> > Dear Damien,
> >
> > Could you please clarify which versions are vulnerable?
>
> OpenSSH 5.5 through 9.3p1 inclusive
>
>
>
> On Wed, 19 Jul 2023, Dmitry Belyavskiy wrote:
>
> > Dear Damien,
> >
> > Could you please clarify which versions are vulnerable?
>
> OpenSSH 5.5 through 9.3p1 inclusive
Many thanks for the clarification!
--
Dmitry Belyavskiy
Nico Kadel-Garcia
Jul 23, 2023, 1:31:16 AM7/23/23
to Dmitry Belyavskiy, Damien Miller, openssh-...@mindrot.org
On Fri, Jul 21, 2023 at 4:37 AM Dmitry Belyavskiy <dbel...@redhat.com> wrote:
>
> On Thu, Jul 20, 2023 at 3:53 AM Damien Miller <d...@mindrot.org> wrote:
> >
> >
> >
> > On Wed, 19 Jul 2023, Dmitry Belyavskiy wrote:
> >
> > > Dear Damien,
> > >
> > > Could you please clarify which versions are vulnerable?
> >
> > OpenSSH 5.5 through 9.3p1 inclusive
>
> Many thanks for the clarification!
>
> On Thu, Jul 20, 2023 at 3:53 AM Damien Miller <d...@mindrot.org> wrote:
> >
> >
> >
> > On Wed, 19 Jul 2023, Dmitry Belyavskiy wrote:
> >
> > > Dear Damien,
> > >
> > > Could you please clarify which versions are vulnerable?
> >
> > OpenSSH 5.5 through 9.3p1 inclusive
>
> Many thanks for the clarification!
I took a shot at it for RHEL 9. Red Hat and Fedora apply dozens of
tuning patches on top of OpenSSH. I think I'll wait for Fedora to have
a working version to try to port it to RHEL.
Dmitry Belyavskiy
Jul 23, 2023, 3:55:59 AM7/23/23
to Nico Kadel-Garcia, Damien Miller, openssh-...@mindrot.org
Dear Nico,
> I took a shot at it for RHEL 9. Red Hat and Fedora apply dozens of
> tuning patches on top of OpenSSH. I think I'll wait for Fedora to have
> a working version to try to port it to RHEL.
The fix should already land in F38 and rawhide and is in testing in F37
--
Dmitry Belyavskiy
> I took a shot at it for RHEL 9. Red Hat and Fedora apply dozens of
> tuning patches on top of OpenSSH. I think I'll wait for Fedora to have
> a working version to try to port it to RHEL.
--
Dmitry Belyavskiy
Reply all
Reply to author
Forward
0 new messages