OpenSSH Security Advisory: legacy-certs.adv
This document may be found at: http://www.openssh.com/txt/legacy-cert.adv
1. Vulnerability
Legacy certificates generated by OpenSSH might contain data
from the stack thus leaking confidential information.
2. Affected configurations
OpenSSH 5.6 and OpenSSH 5.7 only when generating legacy
certificates. These must be specifically requested using the
"-t" option on the ssh-keygen CA command-line.
3. Mitigation
Avoid generating legacy certificates using OpenSSH 5.6 or 5.7
If legacy certificates have been issued with a vulnerable
OpenSSH version, consider rotating any CA key used.
4. Details
When generating legacy *-cert-v00@openssh.com certificates,
the nonce field was not being correctly filled with random
data but was left uninitialised, containing the contents of
the stack.
The contents of the stack at this point in ssh-keygen's
execution do not appear to leak the CA private key or other
sensitive data, but this possibility cannot be excluded on
all platforms and library versions.
If certificates are generated using user-specified contents
(as opposed to the CA specifying all fields) then they will
be less resistant to hash collision attacks. Fortunately,
such attacks are not currently considered practical for the
SHA family of hashes used to sign these certificates.
5. Credit
This issue was privately reported by Mateusz Kocielski on
January 26, 2011.
6. Fix
OpenSSH 5.8 contains a fix for this vulnerability. Users who
prefer to continue to use OpenSSH 5.6 or 5.7 may apply this
patch:
Index: key.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/key.c,v
retrieving revision 1.95
diff -u -r1.95 key.c
--- key.c 10 Nov 2010 01:33:07 -0000 1.95
+++ key.c 3 Feb 2011 06:52:33 -0000
@@ -1823,8 +1823,8 @@
buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
/* -v01 certs put nonce first */
+ arc4random_buf(&nonce, sizeof(nonce));
if (!key_cert_is_legacy(k)) {
- arc4random_buf(&nonce, sizeof(nonce));
buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
}
_______________________________________________
openssh-unix-announce mailing list
openssh-unix-announce@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-announce
This document may be found at: http://www.openssh.com/txt/legacy-cert.adv
1. Vulnerability
Legacy certificates generated by OpenSSH might contain data
from the stack thus leaking confidential information.
2. Affected configurations
OpenSSH 5.6 and OpenSSH 5.7 only when generating legacy
certificates. These must be specifically requested using the
"-t" option on the ssh-keygen CA command-line.
3. Mitigation
Avoid generating legacy certificates using OpenSSH 5.6 or 5.7
If legacy certificates have been issued with a vulnerable
OpenSSH version, consider rotating any CA key used.
4. Details
When generating legacy *-cert-v00@openssh.com certificates,
the nonce field was not being correctly filled with random
data but was left uninitialised, containing the contents of
the stack.
The contents of the stack at this point in ssh-keygen's
execution do not appear to leak the CA private key or other
sensitive data, but this possibility cannot be excluded on
all platforms and library versions.
If certificates are generated using user-specified contents
(as opposed to the CA specifying all fields) then they will
be less resistant to hash collision attacks. Fortunately,
such attacks are not currently considered practical for the
SHA family of hashes used to sign these certificates.
5. Credit
This issue was privately reported by Mateusz Kocielski on
January 26, 2011.
6. Fix
OpenSSH 5.8 contains a fix for this vulnerability. Users who
prefer to continue to use OpenSSH 5.6 or 5.7 may apply this
patch:
Index: key.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/key.c,v
retrieving revision 1.95
diff -u -r1.95 key.c
--- key.c 10 Nov 2010 01:33:07 -0000 1.95
+++ key.c 3 Feb 2011 06:52:33 -0000
@@ -1823,8 +1823,8 @@
buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
/* -v01 certs put nonce first */
+ arc4random_buf(&nonce, sizeof(nonce));
if (!key_cert_is_legacy(k)) {
- arc4random_buf(&nonce, sizeof(nonce));
buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
}
_______________________________________________
openssh-unix-announce mailing list
openssh-unix-announce@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-announce