https://bugzilla.mindrot.org/show_bug.cgi?id=3675
Bug ID: 3675
Summary: CASignatureAlgorithms should be verified before
verifying signatures
Product: Portable OpenSSH
Version: 9.7p1
Hardware: Other
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: andres@anarazel.de
Hi,
The code injected in CVE-2024-3094 causes RSA_public_decrypt to be
redirected to a payload. This is not reachable for normal pubkey
authentication without
1) the key algorithm being of a permitted type
2) knowing at least the signature of a pubkey in authorized_keys etc
However, certificates are verified before such checks:
userauth_pubkey()
-> sshkey_from_blob()
-> sshkey_from_blob_internal()
-> cert_parse()
-> sshkey_verify(key->cert->signature_key)
-> ssh_rsa_verify() (or others, depending on cert type)
-> openssh_RSA_verify()
-> RSA_public_decrypt()
The signature algorithm *is* subsequently checked, but of course
RSA_public_decrypt has already been called by that point.
Outside of CVE-2024-3094, which is not openssh's reponsibility, that is
not a correctness issue. But doing verification of signatures with
algorithms that are disabled still seems fairly suboptimal, increasing
the amount of code reachable without having any valid access.
Looks to me that an equivalent to checking in authorized_keys can't be
done before the verification, but checking CASignatureAlgorithms seems
entirely possible.
It might also be worth rejecting certificates without any validation if
the sshd is not configured to use CA based auth.
Regards,
Andres
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Bug ID: 3675
Summary: CASignatureAlgorithms should be verified before
verifying signatures
Product: Portable OpenSSH
Version: 9.7p1
Hardware: Other
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: andres@anarazel.de
Hi,
The code injected in CVE-2024-3094 causes RSA_public_decrypt to be
redirected to a payload. This is not reachable for normal pubkey
authentication without
1) the key algorithm being of a permitted type
2) knowing at least the signature of a pubkey in authorized_keys etc
However, certificates are verified before such checks:
userauth_pubkey()
-> sshkey_from_blob()
-> sshkey_from_blob_internal()
-> cert_parse()
-> sshkey_verify(key->cert->signature_key)
-> ssh_rsa_verify() (or others, depending on cert type)
-> openssh_RSA_verify()
-> RSA_public_decrypt()
The signature algorithm *is* subsequently checked, but of course
RSA_public_decrypt has already been called by that point.
Outside of CVE-2024-3094, which is not openssh's reponsibility, that is
not a correctness issue. But doing verification of signatures with
algorithms that are disabled still seems fairly suboptimal, increasing
the amount of code reachable without having any valid access.
Looks to me that an equivalent to checking in authorized_keys can't be
done before the verification, but checking CASignatureAlgorithms seems
entirely possible.
It might also be worth rejecting certificates without any validation if
the sshd is not configured to use CA based auth.
Regards,
Andres
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs