Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: dropb...@packages.debian.org Control: affects -1 + src:dropbear
[ Reason ] dropbear 2022.83-1 is vunerable to CVE-2023-48795 (terrapin attack). https://terrapin-attack.com/ Based on https://bugs.debian.org/1059001 the security team argued this didn't warrant a CVE, and suggested to go via s-pu instead. [ Impact ] Bookworm users will remain vulnerable to CVE-2023-48795. Details about what that entails has been discussed on the upstream bug tracker at https://github.com/mkj/dropbear/issues/270 , where one the terrapin finder wrote that | While it is true that not sending server-sig-algs does not prevent the | client from trying SHA2-based RSA signatures, we observed the suggested | behavior (preferring SHA-1 over SHA-2 when server-sig-algs is missing) | in a wide variety of SSH clients. Also, the order of algorithms in | server-sig-algs is used by some clients in case multiple private keys | are present, potentially leading to downgrades as well. | | However, we do not consider this application of the Terrapin attack to | have a significant impact. Instead, our main concern is the combination | of Terrapin with implementation bugs, as seen in AsyncSSH. We evaluated | only a handful of SSH implementations, where one already allowed for | in-session man-in-the-middle attacks. Given the wide variety of SSH | implementations, one can estimate with sufficient probability that other | implementations face similar issues. [ Tests ] I checked the updated dropbear SSHd/dbclient against the Terrapin scanner. [ Risks ] Risk is low: the patch comes from upstream and applied cleanly (no upstream version was released since Bookworm was released). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Implement Strict KEX mode to fix CVE-2023-48795 (terrapin attack). -- Guilhem.
diffstat for dropbear-2022.83 dropbear-2022.83 changelog | 11 ++ patches/CVE-2023-48795.patch | 232 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 salsa-ci.yml | 8 + 4 files changed, 252 insertions(+) diff -Nru dropbear-2022.83/debian/changelog dropbear-2022.83/debian/changelog --- dropbear-2022.83/debian/changelog 2022-11-14 22:16:35.000000000 +0100 +++ dropbear-2022.83/debian/changelog 2024-01-26 10:01:00.000000000 +0100 @@ -1,3 +1,14 @@ +dropbear (2022.83-1+deb12u1) bookworm; urgency=medium + + * Fix CVE-2023-48795: (terrapin attack): The SSH transport protocol with + certain OpenSSH extensions allows remote attackers to bypass integrity + checks such that some packets are omitted (from the extension negotiation + message), and a client and server may consequently end up with a + connection for which some security features have been downgraded or + disabled, aka a Terrapin attack. (Closes: #1059001) + + -- Guilhem Moulin <guil...@debian.org> Fri, 26 Jan 2024 10:01:00 +0100 + dropbear (2022.83-1) unstable; urgency=medium * New upstream release 2022.83. Support for ssh-dss (DSA) host and user diff -Nru dropbear-2022.83/debian/patches/CVE-2023-48795.patch dropbear-2022.83/debian/patches/CVE-2023-48795.patch --- dropbear-2022.83/debian/patches/CVE-2023-48795.patch 1970-01-01 01:00:00.000000000 +0100 +++ dropbear-2022.83/debian/patches/CVE-2023-48795.patch 2024-01-26 10:01:00.000000000 +0100 @@ -0,0 +1,232 @@ +From: Matt Johnston <m...@ucc.asn.au> +Date: Mon, 20 Nov 2023 14:02:47 +0800 +Subject: Implement Strict KEX mode + +As specified by OpenSSH with kex-strict-c-...@openssh.com and +kex-strict-s-...@openssh.com. + +Origin: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-48795 +Bug-Debian: https://bugs.debian.org/1059001 +--- + cli-session.c | 11 +++++++++++ + common-algo.c | 6 ++++++ + common-kex.c | 26 +++++++++++++++++++++++++- + kex.h | 3 +++ + process-packet.c | 34 +++++++++++++++++++--------------- + ssh.h | 4 ++++ + svr-session.c | 3 +++ + 7 files changed, 71 insertions(+), 16 deletions(-) + +diff --git a/cli-session.c b/cli-session.c +index 5981b24..d261c8f 100644 +--- a/cli-session.c ++++ b/cli-session.c +@@ -46,6 +46,7 @@ static void cli_finished(void) ATTRIB_NORETURN; + static void recv_msg_service_accept(void); + static void cli_session_cleanup(void); + static void recv_msg_global_request_cli(void); ++static void cli_algos_initialise(void); + + struct clientsession cli_ses; /* GLOBAL */ + +@@ -117,6 +118,7 @@ void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection + } + + chaninitialise(cli_chantypes); ++ cli_algos_initialise(); + + /* Set up cli_ses vars */ + cli_session_init(proxy_cmd_pid); +@@ -487,3 +489,12 @@ void cli_dropbear_log(int priority, const char* format, va_list param) { + fflush(stderr); + } + ++static void cli_algos_initialise(void) { ++ algo_type *algo; ++ for (algo = sshkex; algo->name; algo++) { ++ if (strcmp(algo->name, SSH_STRICT_KEX_S) == 0) { ++ algo->usable = 0; ++ } ++ } ++} ++ +diff --git a/common-algo.c b/common-algo.c +index 378f0ca..f9d46eb 100644 +--- a/common-algo.c ++++ b/common-algo.c +@@ -307,6 +307,12 @@ algo_type sshkex[] = { + /* Set unusable by svr_algos_initialise() */ + {SSH_EXT_INFO_C, 0, NULL, 1, NULL}, + #endif ++#endif ++#if DROPBEAR_CLIENT ++ {SSH_STRICT_KEX_C, 0, NULL, 1, NULL}, ++#endif ++#if DROPBEAR_SERVER ++ {SSH_STRICT_KEX_S, 0, NULL, 1, NULL}, + #endif + {NULL, 0, NULL, 0, NULL} + }; +diff --git a/common-kex.c b/common-kex.c +index ac88442..8e33b12 100644 +--- a/common-kex.c ++++ b/common-kex.c +@@ -183,6 +183,10 @@ void send_msg_newkeys() { + gen_new_keys(); + switch_keys(); + ++ if (ses.kexstate.strict_kex) { ++ ses.transseq = 0; ++ } ++ + TRACE(("leave send_msg_newkeys")) + } + +@@ -193,7 +197,11 @@ void recv_msg_newkeys() { + + ses.kexstate.recvnewkeys = 1; + switch_keys(); +- ++ ++ if (ses.kexstate.strict_kex) { ++ ses.recvseq = 0; ++ } ++ + TRACE(("leave recv_msg_newkeys")) + } + +@@ -550,6 +558,10 @@ void recv_msg_kexinit() { + + ses.kexstate.recvkexinit = 1; + ++ if (ses.kexstate.strict_kex && !ses.kexstate.donefirstkex && ses.recvseq != 1) { ++ dropbear_exit("First packet wasn't kexinit"); ++ } ++ + TRACE(("leave recv_msg_kexinit")) + } + +@@ -859,6 +871,18 @@ static void read_kex_algos() { + } + #endif + ++ if (!ses.kexstate.donefirstkex) { ++ const char* strict_name; ++ if (IS_DROPBEAR_CLIENT) { ++ strict_name = SSH_STRICT_KEX_S; ++ } else { ++ strict_name = SSH_STRICT_KEX_C; ++ } ++ if (buf_has_algo(ses.payload, strict_name) == DROPBEAR_SUCCESS) { ++ ses.kexstate.strict_kex = 1; ++ } ++ } ++ + algo = buf_match_algo(ses.payload, sshkex, kexguess2, &goodguess); + allgood &= goodguess; + if (algo == NULL || algo->data == NULL) { +diff --git a/kex.h b/kex.h +index 77cf21a..7fcc3c2 100644 +--- a/kex.h ++++ b/kex.h +@@ -83,6 +83,9 @@ struct KEXState { + + unsigned our_first_follows_matches : 1; + ++ /* Boolean indicating that strict kex mode is in use */ ++ unsigned int strict_kex; ++ + time_t lastkextime; /* time of the last kex */ + unsigned int datatrans; /* data transmitted since last kex */ + unsigned int datarecv; /* data received since last kex */ +diff --git a/process-packet.c b/process-packet.c +index 9454160..133a152 100644 +--- a/process-packet.c ++++ b/process-packet.c +@@ -44,6 +44,7 @@ void process_packet() { + + unsigned char type; + unsigned int i; ++ unsigned int first_strict_kex = ses.kexstate.strict_kex && !ses.kexstate.donefirstkex; + time_t now; + + TRACE2(("enter process_packet")) +@@ -54,22 +55,24 @@ void process_packet() { + now = monotonic_now(); + ses.last_packet_time_keepalive_recv = now; + +- /* These packets we can receive at any time */ +- switch(type) { + +- case SSH_MSG_IGNORE: +- goto out; +- case SSH_MSG_DEBUG: +- goto out; ++ if (type == SSH_MSG_DISCONNECT) { ++ /* Allowed at any time */ ++ dropbear_close("Disconnect received"); ++ } + +- case SSH_MSG_UNIMPLEMENTED: +- /* debugging XXX */ +- TRACE(("SSH_MSG_UNIMPLEMENTED")) +- goto out; +- +- case SSH_MSG_DISCONNECT: +- /* TODO cleanup? */ +- dropbear_close("Disconnect received"); ++ /* These packets may be received at any time, ++ except during first kex with strict kex */ ++ if (!first_strict_kex) { ++ switch(type) { ++ case SSH_MSG_IGNORE: ++ goto out; ++ case SSH_MSG_DEBUG: ++ goto out; ++ case SSH_MSG_UNIMPLEMENTED: ++ TRACE(("SSH_MSG_UNIMPLEMENTED")) ++ goto out; ++ } + } + + /* Ignore these packet types so that keepalives don't interfere with +@@ -98,7 +101,8 @@ void process_packet() { + if (type >= 1 && type <= 49 + && type != SSH_MSG_SERVICE_REQUEST + && type != SSH_MSG_SERVICE_ACCEPT +- && type != SSH_MSG_KEXINIT) ++ && type != SSH_MSG_KEXINIT ++ && !first_strict_kex) + { + TRACE(("unknown allowed packet during kexinit")) + recv_unimplemented(); +diff --git a/ssh.h b/ssh.h +index 1b4fec6..ef3efdc 100644 +--- a/ssh.h ++++ b/ssh.h +@@ -100,6 +100,10 @@ + #define SSH_EXT_INFO_C "ext-info-c" + #define SSH_SERVER_SIG_ALGS "server-sig-algs" + ++/* OpenSSH strict KEX feature */ ++#define SSH_STRICT_KEX_S "kex-strict-s-...@openssh.com" ++#define SSH_STRICT_KEX_C "kex-strict-c-...@openssh.com" ++ + /* service types */ + #define SSH_SERVICE_USERAUTH "ssh-userauth" + #define SSH_SERVICE_USERAUTH_LEN 12 +diff --git a/svr-session.c b/svr-session.c +index 769f073..a538e2c 100644 +--- a/svr-session.c ++++ b/svr-session.c +@@ -370,6 +370,9 @@ static void svr_algos_initialise(void) { + algo->usable = 0; + } + #endif ++ if (strcmp(algo->name, SSH_STRICT_KEX_C) == 0) { ++ algo->usable = 0; ++ } + } + } + diff -Nru dropbear-2022.83/debian/patches/series dropbear-2022.83/debian/patches/series --- dropbear-2022.83/debian/patches/series 2022-11-14 22:16:35.000000000 +0100 +++ dropbear-2022.83/debian/patches/series 2024-01-26 10:01:00.000000000 +0100 @@ -1,3 +1,4 @@ fix-FTBFS-on-hurd-i386.patch support-running-test_aslr-without-venv.patch raise-connection-delay-in-tests.patch +CVE-2023-48795.patch diff -Nru dropbear-2022.83/debian/salsa-ci.yml dropbear-2022.83/debian/salsa-ci.yml --- dropbear-2022.83/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ dropbear-2022.83/debian/salsa-ci.yml 2024-01-26 10:01:00.000000000 +0100 @@ -0,0 +1,8 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'bookworm' + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_LINTIAN: 1
signature.asc
Description: PGP signature
