A CVE has been assigned for a security issue fixed upstream in OpenSSH: http://openwall.com/lists/oss-security/2015/07/23/4 openssh-6.9p1-5.mga6 uploaded for Cauldron with the upstream patch. Mageia 5 is also affected. Mageia 4 may be affected, but the code has changed a bit, so we'll see. Reproducible: Steps to Reproduce:
URL: (none) => http://lwn.net/Vulnerabilities/652363/
CC: (none) => mageiaAssignee: bugsquad => guillomovitch
I accidentally checked my backported patch for Mageia 4 into SVN yesterday too, but I don't know yet if it's correct. I'll get a better idea when I see what Debian 7 and/or Ubuntu 10.04LTS do.
Whiteboard: (none) => MGA4TOO
PoC: $ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000' user@mageia-machine where mageia-machine is the hostname or IP address of the Mageia machine that you are testing for this vulnerability, and user is the name of a user account on that machine. As long as keyboard authentication is enabled (the default) and you're not using an SSH key for that account, it will prompt for a password by simply saying "Password: ". The correct behavior is that it only gives that prompt three times for incorrect passwords (before switching to user@mageia-machine for two more tries and then exiting), but with this vulnerability, the "Password: " prompt will continue for 10000 (or 30000, I'm not sure) tries. I've verified the vulnerability on Mageia 4 and Mageia 5, and verified the fix on Mageia 4. Patched packages uploaded for Mageia 4 and Mageia 5. Advisory: ======================== Updated openssh package fixes security vulnerabilities: The OpenSSH server, when keyboard-interactive challenge response authentication is enabled and PAM is being used (the default configuration in Mageia), can be tricked into allowing more password attempts than the MaxAuthTries setting would normally allow in one connection, which can aid an attacker in brute-force password guessing (CVE-2015-5600). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600 http://openwall.com/lists/oss-security/2015/07/23/4 ======================== Updated packages in core/updates_testing: ======================== openssh-6.2p2-3.4.mga4 openssh-clients-6.2p2-3.4.mga4 openssh-server-6.2p2-3.4.mga4 openssh-askpass-common-6.2p2-3.4.mga4 openssh-askpass-6.2p2-3.4.mga4 openssh-askpass-gnome-6.2p2-3.4.mga4 openssh-ldap-6.2p2-3.4.mga4 openssh-6.6p1-5.3.mga5 openssh-clients-6.6p1-5.3.mga5 openssh-server-6.6p1-5.3.mga5 openssh-askpass-common-6.6p1-5.3.mga5 openssh-askpass-6.6p1-5.3.mga5 openssh-askpass-gnome-6.6p1-5.3.mga5 openssh-ldap-6.6p1-5.3.mga5 from SRPMS: openssh-6.2p2-3.4.mga4.src.rpm openssh-6.6p1-5.3.mga5.src.rpm
Assignee: guillomovitch => qa-bugsWhiteboard: MGA4TOO => MGA4TOO has_procedure MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: openssh openssh-clients openssh-server default install of openssh openssh-clients & openssh-server [root@localhost wilcal]# urpmi openssh Package openssh-6.2p2-3.3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.2p2-3.3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.2p2-3.3.mga4.x86_64 is already installed Putty can connect to localhost Putty can connect to an external ssh server on the LAN Putty on another M5 system on the LAN can connect back to the Vbox client under test "ssh-keygen -t rsa" command generates a public and private key install openssh openssh-clients & openssh-server from updates_testing [root@localhost wilcal]# urpmi openssh Package openssh-6.2p2-3.4.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.2p2-3.4.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.2p2-3.4.mga4.x86_64 is already installed Putty can connect to localhost Putty can connect to an external ssh server on the LAN Putty on another M5 system on the LAN can connect back to the Vbox client under test "ssh-keygen -t rsa" command generates a public and private key Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
CC: (none) => wilcal.int
Whiteboard: MGA4TOO has_procedure MGA4-32-OK => MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK
In VirtualBox, M5, KDE, 32-bit Package(s) under test: openssh openssh-clients openssh-server default install of openssh openssh-clients & openssh-server [root@localhost wilcal]# urpmi openssh Package openssh-6.6p1-5.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.6p1-5.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.6p1-5.1.mga5.i586 is already installed Putty can connect to localhost Putty can connect to an external ssh server on the LAN Putty on another M5 system on the LAN can connect back to the Vbox client under test "ssh-keygen -t rsa" command generates a public and private key install openssh openssh-clients & openssh-server from updates_testing [root@localhost wilcal]# urpmi openssh Package openssh-6.6p1-5.3.mga5.i586 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.6p1-5.3.mga5.i586 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.6p1-5.3.mga5.i586 is already installed Putty can connect to localhost Putty can connect to an external ssh server on the LAN Putty on another M5 system on the LAN can connect back to the Vbox client under test "ssh-keygen -t rsa" command generates a public and private key Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
Whiteboard: MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK => MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: openssh openssh-clients openssh-server default install of openssh openssh-clients & openssh-server [root@localhost wilcal]# urpmi openssh Package openssh-6.6p1-5.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.6p1-5.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.6p1-5.1.mga5.x86_64 is already installed Putty can connect to localhost Putty can connect to an external ssh server on the LAN Putty on another M5 system on the LAN can connect back to the Vbox client under test "ssh-keygen -t rsa" command generates a public and private key install openssh openssh-clients & openssh-server from updates_testing [root@localhost wilcal]# urpmi openssh Package openssh-6.6p1-5.3.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.6p1-5.3.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.6p1-5.3.mga5.x86_64 is already installed Putty can connect to localhost Putty can connect to an external ssh server on the LAN Putty on another M5 system on the LAN can connect back to the Vbox client under test "ssh-keygen -t rsa" command generates a public and private key Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
Whiteboard: MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
Looks good. What say ye David?
William, it doesn't look like you tested the PoC I gave.
Keywords: (none) => validated_updateWhiteboard: MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
In VirtualBox, M4, KDE, 32-bit Vbox client under test is at: 192.168.1.142 user: wilcal Putty can ssh into that Vbox client In user terminal on another M5 system on the LAN: ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000' wilcal@192.168.1.142 results in the following: [wilcal@localhost ~]$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000' wilcal@192.168.1.142 > Is perl installed by default into Mageia? Or are there some other perl apps that need to be installed? Goes like this if I enter something: > test > test > test > test > test > test
I think you're missing a matching backtick after 10000, instead of a quote.
(In reply to Samuel VERSCHELDE from comment #9) > I think you're missing a matching backtick after 10000, instead of a quote. ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000` wilcal@192.168.1.142 [wilcal@localhost ~]$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000` wilcal@192.168.1.142 bash: command substitution: line 1: unexpected EOF while looking for matching `'' bash: command substitution: line 2: syntax error: unexpected end of file command-line line 0: Missing argument. Sorry you gotta hold my hand here. What exactly should the command be? Thanks
I screwed up the command when I pasted it. ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` wilcal@192.168.1.142 Sorry for the confusion.
(In reply to David Walser from comment #11) > ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` wilcal@192.168.1.142 > > Sorry for the confusion. In VirtualBox, M4, KDE, 64-bit From another M5 system on the LAN in a terminal entering three incorrect passwords: [wilcal@localhost ~]$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` wilcal@192.168.1.142 wilcal@192.168.1.142's password: Permission denied, please try again. wilcal@192.168.1.142's password: Permission denied, please try again. wilcal@192.168.1.142's password: Permission denied (publickey,password,keyboard-interactive). [wilcal@localhost ~]$ Cool. If I give it the correct password it works fine. Also I'm ping'n a fixed Vbox client so therefore we can consider this a fixed client?
In VirtualBox, M5, KDE, 32-bit [wilcal@localhost ~]$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` wilcal@192.168.1.143 Warning: Permanently added '192.168.1.143' (RSA) to the list of known hosts. Password: Password: Password: wilcal@192.168.1.143's password: Permission denied, please try again. wilcal@192.168.1.143's password: Permission denied, please try again. wilcal@192.168.1.143's password: Received disconnect from 192.168.1.143: 2: Too many authentication failures for wilcal [wilcal@localhost ~]$ Using the correct password gets me in 1st try.
In VirtualBox, M5, KDE, 64-bit [wilcal@localhost ~]$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` wilcal@192.168.1.141 Warning: Permanently added '192.168.1.141' (RSA) to the list of known hosts. Password: Password: Password: wilcal@192.168.1.141's password: Permission denied, please try again. wilcal@192.168.1.141's password: Permission denied, please try again. wilcal@192.168.1.141's password: Received disconnect from 192.168.1.141: 2: Too many authentication failures for wilcal [wilcal@localhost ~]$ Using the correct password gets me in 1st try.
In VirtualBox, M5, KDE, 64-bit ( unfixed ) [wilcal@localhost ~]$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` wilcal@192.168.1.141 Password: Password: Password: Password: Password: Password: Password: Password: Password: Password: Password: and on and on and on and on
Correct, it'll keep saying "Password: " over and over again for unfixed, and it'll only do that threetimes before moving on to "wilcal@192.168.1.141's password: " if it's fixed. It looks like you got the correct results.
This things good to go. We also got some good procedures documented here. Many thanks all. Testing complete for mga4/5 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0295.html
Status: NEW => RESOLVEDResolution: (none) => FIXED