Spenser Truex <[email protected]> writes:
> From website
> http://pizzashack.org/rssh/security.shtml
More recently, you should also be aware of CVE-2019-1000018,
CVE-2019-3464, and CVE-2019-3463.
It turns out to be extremely difficult to do what rssh is attempting to do
because the underlying software that it is trying to protect does not
cooperate very well (and in some cases could be said to be actively
hostile). New mechanisms of bypassing its intended restrictions keep
cropping up. For example, I'm fairly sure the CVS support is not secure,
although I have not put the effort into figuring out how to break it.
You should probably consider rssh deprecated and think about alternatives.
My attempts to clean up the last few rounds of problems produced a ton of
collateral damage, and I've personally stopped trying to maintain rssh in
Debian because I'm not confident that I can make it secure.
Here are the most recent changelogs from the Debian package, which should
provide a feel for the scope of the problem. This also includes other
potential security issues that never received a CVE:
rssh (2.3.4-12) unstable; urgency=high
* The fix for the scp security vulnerability in 2.3.4-9 combined with
the regression fix in 2.3.4-10 rejected the -pf and -pt options, which
are sent by libssh2's scp support. Add support for those variants.
(LP #1815935)
-- Russ Allbery <[email protected]> Mon, 18 Feb 2019 18:58:27 -0800
rssh (2.3.4-11) unstable; urgency=high
* The fix for the scp security vulnerability in 2.3.4-9 introduced a
regression that blocked scp of multiple files from a server using
rssh. Based on further analysis of scp's command-line parsing, relax
the check to require the server command contain -f or -t, which should
deactivate scp's support for remote files. (Closes: #921655)
-- Russ Allbery <[email protected]> Sun, 10 Feb 2019 11:17:28 -0800
rssh (2.3.4-10) unstable; urgency=high
* Also reject rsync --daemon and --config command-line options, which
can be used to run arbitrary commands. Thanks, Nick Cleaton.
(CVE-2019-3463)
* Unset the HOME environment variable when running rsync to prevent popt
(against which rsync is linked) from loading a ~/.popt configuration
file, which can run arbitrary commands on the server or redefine
command-line options to bypass argument checking. Thanks, Nick
Cleaton. (CVE-2019-3464)
* Do not stop checking the rsync command line at --, since this can be
an argument to some other option and later arguments may still be
interpreted as options. In the few cases where one needs to rsync to
files named things like --rsh, the client can use ./--rsh instead.
Thanks, Nick Cleaton.
* Remove now-unused variables from the rsync validation patch.
-- Russ Allbery <[email protected]> Sat, 02 Feb 2019 10:59:47 -0800
rssh (2.3.4-9) unstable; urgency=high
* Validate the allowed scp command line and only permit the flags used
in server mode and only a single argument, to attempt to prevent use
of ssh options to run arbitrary code on the server. This will break
scp -3 to a system running rssh, which seems like an acceptable loss.
(Closes: #919623, CVE-2019-1000018)
* Tighten validation of the rsync command line to require --server be
the first argument, which should prevent initiation of an outbound
rsync command from the server, which in turn might allow execution of
arbitrary code via ssh configuration similar to scp.
* Add validation of the server command line after chroot when chroot is
enabled. Prior to this change, dangerous argument filtering was not
done when chroot was configured, allowing remote code execution inside
the chroot in some configurations via the previous two bugs and via
the mechanisms in CVE-2012-2251 and CVE-2012-2252.
* Document that the cvs server-side dangerous option filtering is
probably insufficient and should not be considered secure.
-- Russ Allbery <[email protected]> Mon, 28 Jan 2019 21:03:59 -0800
--
Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/>
_______________________________________________
rssh-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rssh-discuss
