[Fido] [PATCH] openssh: Backport CVE-2015-5600 fix

[Fido] [PATCH] openssh: Backport CVE-2015-5600 fix

[Haris Okanovic]

only query each keyboard-interactive device once per
authentication request regardless of how many times it is listed

Source:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u

Bug report:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5600
https://bugzilla.redhat.com/show_bug.cgi?id=1245969

Testing:
Built in Fido and installed to x86_64 test system.
Verified both 'keyboard-interactive' and 'publickey' logon works with
root and a regular user from an openssh 7.1p1-1 client on Arch.

Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
Reviewed-by: Rich Tollerton <rich.tollerton@ni.com>
Reviewed-by: Ken Sharp <ken.sharp@ni.com>
Natinst-ReviewBoard-ID: 115602
Natinst-CAR-ID: 541263

---

This patch only applies to Fido and earlier releases. Bug is already
fixed in Jethro which builds OpenSSH 7.1.
---
 .../openssh/openssh/CVE-2015-5600.patch            | 50 ++++++++++++++++++++++
 meta/recipes-connectivity/openssh/openssh_6.7p1.bb |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
new file mode 100644
index 0000000..fa1c85e
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
@@ -0,0 +1,50 @@
+From b47bdee5621f95387c9ac5b999fd859ccb1213a9 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sat, 18 Jul 2015 07:57:14 +0000
+Subject: [PATCH] CVE-2015-5600
+
+only query each keyboard-interactive device once per
+ authentication request regardless of how many times it is listed; ok markus@
+
+Source:
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
+
+Upstream-Status: Backport
+---
+ auth2-chall.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/auth2-chall.c b/auth2-chall.c
+index ea4eb6952f8c13928c3fc595007f2d844dde422f..065361d3ec22f4f131308d1b4497afada3c3cb78 100644
+--- a/auth2-chall.c
++++ b/auth2-chall.c
+@@ -83,6 +83,7 @@ struct KbdintAuthctxt
+ 	void *ctxt;
+ 	KbdintDevice *device;
+ 	u_int nreq;
++	u_int devices_done;
+ };
+ 
+ #ifdef USE_PAM
+@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
+ 		if (len == 0)
+ 			break;
+ 		for (i = 0; devices[i]; i++) {
+-			if (!auth2_method_allowed(authctxt,
++			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
++			    !auth2_method_allowed(authctxt,
+ 			    "keyboard-interactive", devices[i]->name))
+ 				continue;
+-			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
++			if (strncmp(kbdintctxt->devices, devices[i]->name,
++			    len) == 0) {
+ 				kbdintctxt->device = devices[i];
++				kbdintctxt->devices_done |= 1 << i;
++			}
+ 		}
+ 		t = kbdintctxt->devices;
+ 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
+-- 
+2.6.2
+
diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
index aa71cc1..9246284 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
@@ -25,6 +25,7 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
            file://CVE-2015-6563.patch  \
            file://CVE-2015-6564.patch \
            file://CVE-2015-6565.patch \
+           file://CVE-2015-5600.patch \
            "
 
 PAM_SRC_URI = "file://sshd"
-- 
2.6.2

Re: [Fido] [PATCH] openssh: Backport CVE-2015-5600 fix

[Joshua Lock]

On 30/10/15 20:12, Haris Okanovic wrote:
> only query each keyboard-interactive device once per
> authentication request regardless of how many times it is listed
>
> Source:
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
>
> Bug report:
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5600
> https://bugzilla.redhat.com/show_bug.cgi?id=1245969
>
> Testing:
> Built in Fido and installed to x86_64 test system.
> Verified both 'keyboard-interactive' and 'publickey' logon works with
> root and a regular user from an openssh 7.1p1-1 client on Arch.

Thanks, I've pushed this change to my joshuagl/fido-next branch of 
openembedded-core-contrib and am testing it now.

Regards,

Joshua

1. 
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=joshuagl/fido-next

>
> Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
> Reviewed-by: Rich Tollerton <rich.tollerton@ni.com>
> Reviewed-by: Ken Sharp <ken.sharp@ni.com>
> Natinst-ReviewBoard-ID: 115602
> Natinst-CAR-ID: 541263
>
> ---
>
> This patch only applies to Fido and earlier releases. Bug is already
> fixed in Jethro which builds OpenSSH 7.1.
> ---
>   .../openssh/openssh/CVE-2015-5600.patch            | 50 ++++++++++++++++++++++
>   meta/recipes-connectivity/openssh/openssh_6.7p1.bb |  1 +
>   2 files changed, 51 insertions(+)
>   create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
> new file mode 100644
> index 0000000..fa1c85e
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
> @@ -0,0 +1,50 @@
> +From b47bdee5621f95387c9ac5b999fd859ccb1213a9 Mon Sep 17 00:00:00 2001
> +From: "djm@openbsd.org" <djm@openbsd.org>
> +Date: Sat, 18 Jul 2015 07:57:14 +0000
> +Subject: [PATCH] CVE-2015-5600
> +
> +only query each keyboard-interactive device once per
> + authentication request regardless of how many times it is listed; ok markus@
> +
> +Source:
> +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
> +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
> +
> +Upstream-Status: Backport
> +---
> + auth2-chall.c | 9 +++++++--
> + 1 file changed, 7 insertions(+), 2 deletions(-)
> +
> +diff --git a/auth2-chall.c b/auth2-chall.c
> +index ea4eb6952f8c13928c3fc595007f2d844dde422f..065361d3ec22f4f131308d1b4497afada3c3cb78 100644
> +--- a/auth2-chall.c
> ++++ b/auth2-chall.c
> +@@ -83,6 +83,7 @@ struct KbdintAuthctxt
> + 	void *ctxt;
> + 	KbdintDevice *device;
> + 	u_int nreq;
> ++	u_int devices_done;
> + };
> +
> + #ifdef USE_PAM
> +@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
> + 		if (len == 0)
> + 			break;
> + 		for (i = 0; devices[i]; i++) {
> +-			if (!auth2_method_allowed(authctxt,
> ++			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
> ++			    !auth2_method_allowed(authctxt,
> + 			    "keyboard-interactive", devices[i]->name))
> + 				continue;
> +-			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
> ++			if (strncmp(kbdintctxt->devices, devices[i]->name,
> ++			    len) == 0) {
> + 				kbdintctxt->device = devices[i];
> ++				kbdintctxt->devices_done |= 1 << i;
> ++			}
> + 		}
> + 		t = kbdintctxt->devices;
> + 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
> +--
> +2.6.2
> +
> diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> index aa71cc1..9246284 100644
> --- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> @@ -25,6 +25,7 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
>              file://CVE-2015-6563.patch  \
>              file://CVE-2015-6564.patch \
>              file://CVE-2015-6565.patch \
> +           file://CVE-2015-5600.patch \
>              "
>
>   PAM_SRC_URI = "file://sshd"
>

Re: [Fido] [PATCH] openssh: Backport CVE-2015-5600 fix

[Haris Okanovic]

On 11/05/2015 04:00 PM, Joshua Lock wrote:
> Thanks, I've pushed this change to my joshuagl/fido-next branch of
> openembedded-core-contrib and am testing it now.

You can find instructions on testing the vulnerability at the following 
URL. I forgot to include it in the change description.

https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/

> Regards,
>
> Joshua
>
> 1.
> http://cgit.openembedded.org/openembedded-core-contrib/log/?h=joshuagl/fido-next
>
>
>>
>> Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
>> Reviewed-by: Rich Tollerton <rich.tollerton@ni.com>
>> Reviewed-by: Ken Sharp <ken.sharp@ni.com>
>> Natinst-ReviewBoard-ID: 115602
>> Natinst-CAR-ID: 541263
>>
>> ---
>>
>> This patch only applies to Fido and earlier releases. Bug is already
>> fixed in Jethro which builds OpenSSH 7.1.
>> ---
>>   .../openssh/openssh/CVE-2015-5600.patch            | 50
>> ++++++++++++++++++++++
>>   meta/recipes-connectivity/openssh/openssh_6.7p1.bb |  1 +
>>   2 files changed, 51 insertions(+)
>>   create mode 100644
>> meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>>
>> diff --git
>> a/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>> b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>> new file mode 100644
>> index 0000000..fa1c85e
>> --- /dev/null
>> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>> @@ -0,0 +1,50 @@
>> +From b47bdee5621f95387c9ac5b999fd859ccb1213a9 Mon Sep 17 00:00:00 2001
>> +From: "djm@openbsd.org" <djm@openbsd.org>
>> +Date: Sat, 18 Jul 2015 07:57:14 +0000
>> +Subject: [PATCH] CVE-2015-5600
>> +
>> +only query each keyboard-interactive device once per
>> + authentication request regardless of how many times it is listed; ok
>> markus@
>> +
>> +Source:
>> +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
>>
>> +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
>>
>> +
>> +Upstream-Status: Backport
>> +---
>> + auth2-chall.c | 9 +++++++--
>> + 1 file changed, 7 insertions(+), 2 deletions(-)
>> +
>> +diff --git a/auth2-chall.c b/auth2-chall.c
>> +index
>> ea4eb6952f8c13928c3fc595007f2d844dde422f..065361d3ec22f4f131308d1b4497afada3c3cb78
>> 100644
>> +--- a/auth2-chall.c
>> ++++ b/auth2-chall.c
>> +@@ -83,6 +83,7 @@ struct KbdintAuthctxt
>> +     void *ctxt;
>> +     KbdintDevice *device;
>> +     u_int nreq;
>> ++    u_int devices_done;
>> + };
>> +
>> + #ifdef USE_PAM
>> +@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt,
>> KbdintAuthctxt *kbdintctxt)
>> +         if (len == 0)
>> +             break;
>> +         for (i = 0; devices[i]; i++) {
>> +-            if (!auth2_method_allowed(authctxt,
>> ++            if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
>> ++                !auth2_method_allowed(authctxt,
>> +                 "keyboard-interactive", devices[i]->name))
>> +                 continue;
>> +-            if (strncmp(kbdintctxt->devices, devices[i]->name, len)
>> == 0)
>> ++            if (strncmp(kbdintctxt->devices, devices[i]->name,
>> ++                len) == 0) {
>> +                 kbdintctxt->device = devices[i];
>> ++                kbdintctxt->devices_done |= 1 << i;
>> ++            }
>> +         }
>> +         t = kbdintctxt->devices;
>> +         kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
>> +--
>> +2.6.2
>> +
>> diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
>> b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
>> index aa71cc1..9246284 100644
>> --- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
>> +++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
>> @@ -25,6 +25,7 @@ SRC_URI =
>> "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
>>              file://CVE-2015-6563.patch  \
>>              file://CVE-2015-6564.patch \
>>              file://CVE-2015-6565.patch \
>> +           file://CVE-2015-5600.patch \
>>              "
>>
>>   PAM_SRC_URI = "file://sshd"
>>
>