1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.FREEBSD.ANN

  • FreeBSD Security Advisory FreeBSD-SA-23:05.openssh

    From FreeBSD Security Advisories@21:1/5 to All on Wed Jun 21 07:00:17 2023
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    ============================================================================= FreeBSD-SA-23:05.openssh Security Advisory
    The FreeBSD Project

    Topic: ssh-add does not honor per-hop destination constraints

    Category: contrib
    Module: openssh
    Announced: 2023-06-21
    Credits: Luci Stanescu
    Affects: FreeBSD 12.4
    Corrected: 2023-06-05 16:04:15 UTC (stable/12, 12.4-STABLE)
    2023-06-21 05:43:42 UTC (releng/12.4, 12.4-RELEASE-p3)
    CVE Name: CVE-2023-28531

    For general information regarding FreeBSD Security Advisories,
    including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>.

    I. Background

    OpenSSH is an implementation of the SSH protocol suite, providing an
    encrypted and authenticated transport for a variety of services, including remote shell access.

    II. Problem Description

    When using ssh-add(1) to add smartcard keys to ssh-agent(1) with per-hop destination constraints, a logic error prevented the constraints from being sent to the agent resulting in keys being added to the agent without constraints.

    III. Impact

    A malicious server could leverage the keys provided by a forwarded agent that would normally not be allowed due to the logic error.

    IV. Workaround

    No workaround is available.

    V. Solution

    Upgrade your vulnerable system to a supported FreeBSD stable or
    release / security branch (releng) dated after the correction date.

    Perform one of the following:

    1) To update your vulnerable system via a binary patch:

    Systems running a RELEASE version of FreeBSD on the amd64, i386, or
    (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility:

    # freebsd-update fetch
    # freebsd-update install

    2) To update your vulnerable system via a source code patch:

    The following patches have been verified to apply to the applicable
    FreeBSD release branches.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    # fetch https://security.FreeBSD.org/patches/SA-23:05/openssh.patch
    # fetch https://security.FreeBSD.org/patches/SA-23:05/openssh.patch.asc
    # gpg --verify openssh.patch.asc

    b) Apply the patch. Execute the following commands as root:

    # cd /usr/src
    # patch < /path/to/patch

    c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

    VI. Correction details

    This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches:

    Branch/path Hash Revision
    - ------------------------------------------------------------------------- stable/12/ r373093 releng/12.4/ r373104
    - -------------------------------------------------------------------------

    Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number:

    # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

    Or visit the following URL, replacing NNNNNN with the revision number:

    <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

    VII. References

    <URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271839>

    <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28531>

    The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:05.openssh.asc> -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmSSkl8ACgkQbljekB8A Gu+p6Q//YJCvfTB82/cs++ok7D/bKGdwq5rvf9CaNMPrvEp7eVvzlTTDtxO6fU1P eT9IZNSBxQHQEnbDyhN0kiTSp+cumGUl44azMwXrHmatN8SZ0FJ/SwEF/VIkxLq5 suHmWh+E2JYdEKfBahjYiO6WJRL/WnKUGPkoDwcqszMyVEVcWh1Jr7nd8VmAJL54 Q5IADSZYpZHJTgdKM/jwkI0yUdsm3qRdMpfnHrNRHUoo84JIpr69bKAISwRF/w5m AgSFrV/0fW4EEqN0roXip6fyM3BlpOI8BjBE0V6mlPOkwxqzGvM7GwuEMGbxRWEj pBv00Kqr0wdDmwge2EFaPLnd1wlB9dvy3+Z4GN2bmdwtM+tW5PXUgZ4iiKaD9/yK Xf4dvSX8vs0IS4Rbk6e/MdZQHDXSzEFxPYz/a1PK/mMPVVeyyzCrQ8/66qUF5Uht grItkiiD+20c/7SEoy7Tj/sDfYpohHYcUbFRxtFp4RlMBZtUgpUwSrvipixb/iKd JkwUHrN5y6ct/oep7FiiGkHmQ3krXn6o5X4JiDf4JjoqbhPQLWMWdmLI+EeHOTcs EtN2JUHK+uVnMoKIOY12D9EzbMH/haBAmHSldXyk/pkxxz0OrSKytjXuYQMo9ooG wlwKMhEOMU6Jhb0YX4nR4jnKEtUx73/i08GBAV7tUuu5he0q6/I=
    =8fxE
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)