Bug 31119

Summary: dropbear new security issue CVE-2021-36369
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, dan, davidwhodgins, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: has_procedure MGA8-64-OK
Source RPM: dropbear-2020.81-3.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-11-14 18:15:10 CET 
Debian-LTS has issued an advisory today (November 14):
https://www.debian.org/lts/security/2022/dla-3187

The issue is fixed upstream in 2022.82.

Mageia 8 is also affected.
David Walser 2022-11-14 18:15:21 CET

Status comment: (none) => Fixed upstream in 2022.82
Whiteboard: (none) => MGA8TOO

Comment 1 Dan Fandrich 2022-11-15 07:19:41 CET 
Updated Cauldron to ver. 2022.83 which includes a fix.
David Walser 2022-11-15 15:09:14 CET

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 2 David Walser 2022-11-15 23:49:38 CET 
Dan has uploaded dropbear-2020.81-1.1.mga8 for Mageia 8.

CC: (none) => dan
Status comment: Fixed upstream in 2022.82 => (none)
Assignee: dan => qa-bugs

Comment 3 Dan Fandrich 2022-11-16 00:04:12 CET 
dropbear-2020.81-1.1.mga8 is in updates_testing.


QA regression test method:

1. Install/upgrade the fixed dropbear RPM version
2. Set up a local SSH server (it doesn't have to be Dropbear) to allow logins by the local user.
3. Execute: dbclient -o DisableTrivialAuth=yes localhost echo OK
and log in, if necessary.
4. Test passes if "OK" is displayed AND no error messages are displayed (especially messages about unknown configuration options).


Advisory:
========================

Updated dropbear package fixes a security vulnerability in dbclient:.
Due to a non-RFC-compliant check of the available authentication methods in the client-side SSH code, it is possible for an SSH server to change the login process in its favor. This attack can bypass additional security measures such as FIDO2 tokens or SSH-Askpass. Thus, it allows an attacker to abuse a forwarded agent for logging on to another server unnoticed.

The fix adds a new option, DisableTrivialAuth, to dbclient to disable this attack vector. Invoke dbclient like this: "dbclient -o DisableTrivialAuth=yes localhost …" to enable this mitigation on each dbclient invocation.


References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36369
https://github.com/mkj/dropbear/pull/128
========================

Updated packages in core/updates_testing:
========================
dropbear-2020.81-1.1.mga8

from dropbear-2020.81-1.1.mga8.src.rpm
Dan Fandrich 2022-11-16 00:04:47 CET

Whiteboard: (none) => has_procedure

Comment 4 Herman Viaene 2022-11-18 16:04:08 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Trying to follow bug 23493 Comment 1, but getting into all sorts of problems
# systemctl stop sshd.service
# systemctl start dropbear.service
# systemctl -l status dropbear.service
● dropbear.service - Dropbear SSH Server Daemon
     Loaded: loaded (/usr/lib/systemd/system/dropbear.service; disabled; vendor preset: disabled)
     Active: active (running) since Fri 2022-11-18 15:19:21 CET; 35min ago
    Process: 14031 ExecStart=/usr/sbin/dropbear $OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 14032 (dropbear)
      Tasks: 1 (limit: 4364)
     Memory: 312.0K
        CPU: 397ms
     CGroup: /system.slice/dropbear.service
             └─14032 /usr/sbin/dropbear
So far so good
remark then: python-paramiko does not exist anymore in our repo, I find python3-paramiko
# ssh mach7 echo Working
The authenticity of host 'mach7 (192.168.2.7)' can't be established.
ECDSA key fingerprint is SHA256:/YjHIhPZYhN3pAQxIt6gxPCNZf162y/0LMsHluzLcEQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mach7,192.168.2.7' (ECDSA) to the list of known hosts.
root@mach7's password: 
/usr/bin/xauth:  file /root/.Xauthority does not exist
Working
[root@mach7 ~]# ssh mach7 echo Working
root@mach7's password: 
Working
I think this is acceptable, but as normal user
$ ssh mach7 echo Working
The authenticity of host 'mach7 (192.168.2.7)' can't be established.
ECDSA key fingerprint is SHA256:/YjHIhPZYhN3pAQxIt6gxPCNZf162y/0LMsHluzLcEQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mach7,192.168.2.7' (ECDSA) to the list of known hosts.
tester8@mach7's password: 
Permission denied, please try again.
$ curl -ORL https://bugfuzz.com/stuff/ssh-check-username.py
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2655  100  2655    0     0   4109      0 --:--:-- --:--:-- --:--:--  4109
[tester8@mach7 ~]$ python ssh-check-username.py --port 22 127.0.0.1 $USER
  File "ssh-check-username.py", line 68
    print '[-] Failed to connect'
          ^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print('[-] Failed to connect')?
Changed in the downloaded file the print statements as suggested and also
#!/usr/bin/env python3
but
$ python3 ssh-check-username.py --port 22 127.0.0.1 $USER
Traceback (most recent call last):
  File "ssh-check-username.py", line 39, in <module>
    old_service_accept = paramiko.auth_handler.AuthHandler._handler_table[
TypeError: 'property' object is not subscriptable
And here I am definitely lost.

CC: (none) => herman.viaene

Comment 5 Dan Fandrich 2022-11-18 17:52:43 CET 
The QA procedure for bug 23493 is irrelevant to this bug. Use the procedure in comment #3.
Comment 6 Herman Viaene 2022-11-20 10:14:36 CET 
# systemctl stop sshd.service
# systemctl start dropbear.service
# systemctl -l status dropbear.service
● dropbear.service - Dropbear SSH Server Daemon
     Loaded: loaded (/usr/lib/systemd/system/dropbear.service; disabled; vendor preset: disabled)
     Active: active (running) since Sun 2022-11-20 10:10:02 CET; 5s ago
    Process: 3766 ExecStart=/usr/sbin/dropbear $OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 3767 (dropbear)
      Tasks: 1 (limit: 4364)
     Memory: 1.0M
        CPU: 15ms
     CGroup: /system.slice/dropbear.service
             └─3767 /usr/sbin/dropbear

Nov 20 10:10:02 mach7.hviaene.thuis systemd[1]: Starting Dropbear SSH Server Daemon...
Nov 20 10:10:02 mach7.hviaene.thuis dropbear[3766]: Failed loading /etc/dropbear/dropbear_ed25519_host_key
Nov 20 10:10:02 mach7.hviaene.thuis systemd[1]: dropbear.service: Can't open PID file /run/dropbear.pid (yet?) after>
Nov 20 10:10:02 mach7.hviaene.thuis dropbear[3767]: Running in background
Nov 20 10:10:02 mach7.hviaene.thuis systemd[1]: Started Dropbear SSH Server Daemon.

Then as normal user
$ dbclient -o DisableTrivialAuth=yes localhost echo OK

Host 'localhost' is not in the trusted hosts file.
(ecdsa-sha2-nistp256 fingerprint sha1!! 54:cf:a1:b0:1e:8f:87:90:4f:64:5c:ad:79:b0:ca:dd:56:ac:66:ba)
Do you want to continue connecting? (y/n) y
tester8@localhost's password: 
OK

So, good to go.

Whiteboard: has_procedure => has_procedure MGA8-64-OK

Comment 7 Thomas Andrews 2022-11-20 15:34:07 CET 
Validating. Advisory in comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-11-24 04:19:14 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2022-11-24 23:22:45 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0436.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED