BSDSec

deadsimple BSD Security Advisories and Announcements

FreeBSD Security Advisory FreeBSD-SA-23:08.ssh

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-23:08.ssh                                        Security Advisory
                                                          The FreeBSD Project

Topic:		Potential remote code execution via ssh-agent forwarding

Category:       contrib
Module:         OpenSSH
Announced:      2023-08-01
Credits:        Qualys
Affects:        All supported versions of FreeBSD.
Corrected:      2023-07-21 14:41:41 UTC (stable/13, 13.2-STABLE)
                2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2)
                2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9)
                2023-07-21 16:25:51 UTC (stable/12, 12.4-STABLE)
                2023-08-01 19:47:00 UTC (releng/12.4, 12.4-RELEASE-p4)
CVE Name:       CVE-2023-38408

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

ssh-agent is a program to hold private keys used for OpenSSH public key
authentication.  Connections to ssh-agent may be forwarded from further
remote hosts using the -A option to ssh.  The server to which the ssh-agent
connection is forwarded may cause the ssh-agent process to load (and unload)
operating system-provided shared libraries to support the addition and
deletion of PKCS#11 keys.

II.  Problem Description

The server may cause ssh-agent to load shared libraries other than those
required for PKCS#11 support.  These shared libraries may have side effects
that occur on load and unload (dlopen and dlclose). 

III. Impact

An attacker with access to a server that accepts a forwarded ssh-agent
connection may be able to execute code on the machine running ssh-agent.
Note that the attack relies on properties of operating system-provided
libraries.  This has been demonstrated on other operating systems; it is
unknown whether this attack is possible using the libraries provided by
a FreeBSD installation.

IV.  Workaround

Avoid using ssh-agent forwarding, or start ssh-agent with an empty
PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that
contains only specific provider libraries.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date and
restart any ssh sessions using ssh-agent forwarding.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 13.2]
# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.2.patch
# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.2.patch.asc
# gpg --verify ssh.13.2.patch.asc

[FreeBSD 13.1]
# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.1.patch
# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.1.patch.asc
# gpg --verify ssh.13.1.patch.asc

[FreeBSD 12.4]
# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.12.4.patch
# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.12.4.patch.asc
# gpg --verify ssh.12.4.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all ssh sessions that use ssh-agent forwarding, or reboot.

VI.  Correction details

This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/13/                              d578a19e2cd3    stable/13-n255848
releng/13.2/                            20bcfc33d3f2  releng/13.2-n254624
releng/13.1/                            3d3a1cbfd7a2  releng/13.1-n250189
stable/12/                                                        r373142
releng/12.4/                                                      r373151
- -------------------------------------------------------------------------

For FreeBSD 13 and later:

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

For FreeBSD 12 and earlier:

Run the following command to see which files were modified by a particular
revision, replacing NNNNNN with the revision number:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38408>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:08.ssh.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsUACgkQbljekB8A
Gu9M3A//ftE38dmRBx//0dm0sY6Pb++OprS7SKkm/dPlv2ywFMrUOZJl47pcfEuJ
h+jeHOMWzQJYwSQBxPii/PbJRbxd4w4c0pjLDKXO3fc74anmuLQh7b8DLip6jQ/S
C4LM11e0lGfxwJmrQl49r8eKkm4ta+TOn+IoSzGzsYUYkpqX3jpBuP/yhFvueXO7
9ZaXCIsg99/tZvXU34b4ZA5t3vVjkAhtbV9HSAza0RnM4ZFJnXJoZbheVMgp63qp
yg2pieDnA5U/c1exC8joRQoiyXtSZjmq2+8e4HYXc9+LZvWr+/fyfBXO6BXn4hmU
KSB6t2aldvB0ywWEbge+mM9I+h0jPKHNo/HsAwwF4gKfLqzZ1XNLnHC+LVTTe0cD
lNHw6kBgH9qx4oLBXg8fZwxtPGv5qvSjC4qisDWi/BMDeVsTfr8wa+LoKHIp0KOH
AnhuNKs1/TYpyHZfa2l7OfvSc70jSGYyG6Flcr5lYrhfDnXEFR6En4qbRLjIS6GA
+8otM6AyuLLiwfaLdha2G9scuA/RUfyixB7AAhrFrxJPBQypC/kIi+lF0TKmEx69
Q2TlWktN/zzHzPJLafor5g9W9dft2Kt4T8hHsmQVwwwN58l3Q49FSrKAib5Agv66
1QuQDP5hhsq7VISG81ZzMZbgvhNgCM5EPjggZ65Qrk9/NCyWhOw=scNH
-----END PGP SIGNATURE-----