FreeBSD Security Advisory FreeBSD-SA-23:08.ssh
2 August, 2023 by security-advisories@freebsd.org | freebsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:08.ssh Security Advisory The FreeBSD Project Topic: Potential remote code execution via ssh-agent forwarding Category: contrib Module: OpenSSH Announced: 2023-08-01 Credits: Qualys Affects: All supported versions of FreeBSD. Corrected: 2023-07-21 14:41:41 UTC (stable/13, 13.2-STABLE) 2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2) 2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9) 2023-07-21 16:25:51 UTC (stable/12, 12.4-STABLE) 2023-08-01 19:47:00 UTC (releng/12.4, 12.4-RELEASE-p4) CVE Name: CVE-2023-38408 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background ssh-agent is a program to hold private keys used for OpenSSH public key authentication. Connections to ssh-agent may be forwarded from further remote hosts using the -A option to ssh. The server to which the ssh-agent connection is forwarded may cause the ssh-agent process to load (and unload) operating system-provided shared libraries to support the addition and deletion of PKCS#11 keys. II. Problem Description The server may cause ssh-agent to load shared libraries other than those required for PKCS#11 support. These shared libraries may have side effects that occur on load and unload (dlopen and dlclose). III. Impact An attacker with access to a server that accepts a forwarded ssh-agent connection may be able to execute code on the machine running ssh-agent. Note that the attack relies on properties of operating system-provided libraries. This has been demonstrated on other operating systems; it is unknown whether this attack is possible using the libraries provided by a FreeBSD installation. IV. Workaround Avoid using ssh-agent forwarding, or start ssh-agent with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and restart any ssh sessions using ssh-agent forwarding. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.2] # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.2.patch # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.2.patch.asc # gpg --verify ssh.13.2.patch.asc [FreeBSD 13.1] # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.1.patch # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.1.patch.asc # gpg --verify ssh.13.1.patch.asc [FreeBSD 12.4] # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.12.4.patch # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.12.4.patch.asc # gpg --verify ssh.12.4.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart all ssh sessions that use ssh-agent forwarding, or reboot. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ d578a19e2cd3 stable/13-n255848 releng/13.2/ 20bcfc33d3f2 releng/13.2-n254624 releng/13.1/ 3d3a1cbfd7a2 releng/13.1-n250189 stable/12/ r373142 releng/12.4/ r373151 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38408> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:08.ssh.asc> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsUACgkQbljekB8A Gu9M3A//ftE38dmRBx//0dm0sY6Pb++OprS7SKkm/dPlv2ywFMrUOZJl47pcfEuJ h+jeHOMWzQJYwSQBxPii/PbJRbxd4w4c0pjLDKXO3fc74anmuLQh7b8DLip6jQ/S C4LM11e0lGfxwJmrQl49r8eKkm4ta+TOn+IoSzGzsYUYkpqX3jpBuP/yhFvueXO7 9ZaXCIsg99/tZvXU34b4ZA5t3vVjkAhtbV9HSAza0RnM4ZFJnXJoZbheVMgp63qp yg2pieDnA5U/c1exC8joRQoiyXtSZjmq2+8e4HYXc9+LZvWr+/fyfBXO6BXn4hmU KSB6t2aldvB0ywWEbge+mM9I+h0jPKHNo/HsAwwF4gKfLqzZ1XNLnHC+LVTTe0cD lNHw6kBgH9qx4oLBXg8fZwxtPGv5qvSjC4qisDWi/BMDeVsTfr8wa+LoKHIp0KOH AnhuNKs1/TYpyHZfa2l7OfvSc70jSGYyG6Flcr5lYrhfDnXEFR6En4qbRLjIS6GA +8otM6AyuLLiwfaLdha2G9scuA/RUfyixB7AAhrFrxJPBQypC/kIi+lF0TKmEx69 Q2TlWktN/zzHzPJLafor5g9W9dft2Kt4T8hHsmQVwwwN58l3Q49FSrKAib5Agv66 1QuQDP5hhsq7VISG81ZzMZbgvhNgCM5EPjggZ65Qrk9/NCyWhOw=scNH -----END PGP SIGNATURE-----