Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 4 Feb 2011 12:44:16 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: Damien Miller <djm@....openbsd.org>
Cc: vendor-sec@....de, oss-security@...ts.openwall.com,
        coley <coley@...re.org>
Subject: Re: [vendor-sec] OpenSSH security advisory: legacy certificate
 signing in	5.6/5.7

Please use CVE-2011-0539 for this.

Thanks.

-- 
    JB

----- Original Message -----
> OpenSSH Security Advisory: legacy-certs.adv
> 
> This document may be found at:
> http://www.openssh.com/txt/legacy-cert.adv
> 
> 1. Vulnerability
> 
> Legacy certificates generated by OpenSSH might contain data
> from the stack thus leaking confidential information.
> 
> 2. Affected configurations
> 
> OpenSSH 5.6 and OpenSSH 5.7 only when generating legacy
> certificates. These must be specifically requested using the
> "-t" option on the ssh-keygen CA command-line.
> 
> 3. Mitigation
> 
> Avoid generating legacy certificates using OpenSSH 5.6 or 5.7
> 
> If legacy certificates have been issued with a vulnerable
> OpenSSH version, consider rotating any CA key used.
> 
> 4. Details
> 
> When generating legacy *-cert-v00@...nssh.com certificates,
> the nonce field was not being correctly filled with random
> data but was left uninitialised, containing the contents of
> the stack.
> 
> The contents of the stack at this point in ssh-keygen's
> execution do not appear to leak the CA private key or other
> sensitive data, but this possibility cannot be excluded on
> all platforms and library versions.
> 
> If certificates are generated using user-specified contents
> (as opposed to the CA specifying all fields) then they will
> be less resistant to hash collision attacks. Fortunately,
> such attacks are not currently considered practical for the
> SHA family of hashes used to sign these certificates.
> 
> 5. Credit
> 
> This issue was privately reported by Mateusz Kocielski on
> January 26, 2011.
> 
> 6. Fix
> 
> OpenSSH 5.8 contains a fix for this vulnerability. Users who
> prefer to continue to use OpenSSH 5.6 or 5.7 may apply this
> patch:
> 
> Index: key.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/key.c,v
> retrieving revision 1.95
> diff -u -r1.95 key.c
> --- key.c 10 Nov 2010 01:33:07 -0000 1.95
> +++ key.c 3 Feb 2011 06:52:33 -0000
> @@ -1823,8 +1823,8 @@
> buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
> 
> /* -v01 certs put nonce first */
> + arc4random_buf(&nonce, sizeof(nonce));
> if (!key_cert_is_legacy(k)) {
> - arc4random_buf(&nonce, sizeof(nonce));
> buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
> }
> 
> _______________________________________________
> Vendor Security mailing list
> Vendor Security@....de
> https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ