Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

OpenSSL ASN.1 vulnerability: sshd not affected

 

 

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


djm at mindrot

Apr 19, 2012, 5:19 AM

Post #1 of 4 (1072 views)
Permalink
OpenSSL ASN.1 vulnerability: sshd not affected

Hi,

Tavis Ormandy found some bugs in OpenSSL's ASN.1 and buffer code that
can be exploited to cause a heap overflow:

http://lists.grok.org.uk/pipermail/full-disclosure/2012-April/086585.html

Fortunately OpenSSH's sshd is not vulnerable - it has avoided the use
of ASN.1 parsing since 2002 when Markus wrote a custom RSA verification
function (openssh_RSA_verify):

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-rsa.c?rev=HEAD;content-type=text%2Fplain

That's now eight exploitable bugs that this change has saved us from.
It's a good lesson in how excising even a relatively small amount of
complex attack surface can make a substantial difference to the security
of an application.

This gloating only applies to sshd though - private key loading still
uses the affected OpenSSL code, so if you are somehow allowing untrusted
users to supply private keys to ssh, ssh-keygen or ssh-add in a
privileged context then you should apply the OpenSSL fixes forthwith.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


aris at 0xbadc0de

Apr 19, 2012, 12:49 PM

Post #2 of 4 (1040 views)
Permalink
Re: OpenSSL ASN.1 vulnerability: sshd not affected [In reply to]

Le 19/04/12 14:19, Damien Miller a écrit :
> Fortunately OpenSSH's sshd is not vulnerable - it has avoided the use
> of ASN.1 parsing since 2002 when Markus wrote a custom RSA verification
> function (openssh_RSA_verify):

Hi Damien,

In order to check the impact that this bug has on other software using
libcrypto, your email caught my eye.
I have a hard day figuring out if RSA_verify from libcrypto is
vulnerable. From what I could read, this bug is only exploitable when
the ASN.1 parsing is done on BIO objects, and RSA_verify parses from
memory, thus avoiding the bug. (I could see it calls d2i_X509_SIG()
which is not bio nor fp).
OpenSSL also claims [1] that this bug is not exploitable on SSL/TLS
clients/servers, so my opinion is that OpenSSH (and other software
using RSA_verify) are not vulnerable.

But of course this doesn't alter anything in the good security
practices in use for OpenSSH, that will protect from the next ASN.1 bug :)

Aris

[1] http://www.openssl.org/news/secadv_20120419.txt
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


openssh at roumenpetrov

Apr 19, 2012, 2:04 PM

Post #3 of 4 (1037 views)
Permalink
Re: OpenSSL ASN.1 vulnerability: sshd not affected [In reply to]

Damien Miller wrote:
> Hi,
>
> Tavis Ormandy found some bugs in OpenSSL's ASN.1 and buffer code that
> can be exploited to cause a heap overflow:
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2012-April/086585.html
>
> Fortunately OpenSSH's sshd is not vulnerable - it has avoided the use
> of ASN.1 parsing since 2002 when Markus wrote a custom RSA verification
> function (openssh_RSA_verify):
>
> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-rsa.c?rev=HEAD;content-type=text%2Fplain
>
> That's now eight exploitable bugs that this change has saved us from.
> It's a good lesson in how excising even a relatively small amount of
> complex attack surface can make a substantial difference to the security
> of an application.
>
> This gloating only applies to sshd though - private key loading still
> uses the affected OpenSSL code, so if you are somehow allowing untrusted
> users to supply private keys to ssh, ssh-keygen or ssh-add in a
> privileged context then you should apply the OpenSSL fixes forthwith.
I cannot understand this sentence. Issue is with operation on file
stream. I cannot remember exact version when key reading from streams
was replaces by "atomic" operation - read file into memory and then use
memory to parse.

Please could you clarify are user programs vulnerable or not ?

> -d
>
Roumen

--
Get X.509 certificates support in OpenSSH:
http://roumenpetrov.info/openssh/



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


djm at mindrot

Apr 19, 2012, 5:08 PM

Post #4 of 4 (1040 views)
Permalink
Re: OpenSSL ASN.1 vulnerability: sshd not affected [In reply to]

On Thu, 19 Apr 2012, Aris Adamantiadis wrote:

> Le 19/04/12 14:19, Damien Miller a ?crit :
> > Fortunately OpenSSH's sshd is not vulnerable - it has avoided the use
> > of ASN.1 parsing since 2002 when Markus wrote a custom RSA verification
> > function (openssh_RSA_verify):
>
> Hi Damien,
>
> In order to check the impact that this bug has on other software using
> libcrypto, your email caught my eye.
> I have a hard day figuring out if RSA_verify from libcrypto is
> vulnerable. From what I could read, this bug is only exploitable when
> the ASN.1 parsing is done on BIO objects, and RSA_verify parses from
> memory, thus avoiding the bug. (I could see it calls d2i_X509_SIG()
> which is not bio nor fp).
> OpenSSL also claims [1] that this bug is not exploitable on SSL/TLS
> clients/servers, so my opinion is that OpenSSH (and other software
> using RSA_verify) are not vulnerable.
>
> But of course this doesn't alter anything in the good security
> practices in use for OpenSSH, that will protect from the next ASN.1 bug :)

Yes, I think you're right - the bug is only hit when calling d2i_*_(bio|fp)
functions. I believed these were done implicitly when parsing DER-encoded
structures and PEM-encoded keys, but a few people have told me that this
is not the case. My gloating was therefore misplaced.

Tavis' findings did include and depend on another problem in OpenSSL's
memory buffer code. This bug seems like it could enable exploitability
of other bugs that have not yet been found or made public, so IMO it
would be a good idea to patch anyway.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.