22837 – python-paramiko new security issue CVE-2018-7750

Bug 22837 - python-paramiko new security issue CVE-2018-7750

Summary: python-paramiko new security issue CVE-2018-7750

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2018-03-28 13:23 CEST by David Walser
Modified:	2018-04-15 15:34 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	python-paramiko-2.0.0-2.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-03-28 13:23:51 CEST

RedHat has issued an advisory on March 26:
https://access.redhat.com/errata/RHSA-2018:0591

The issue is fixed upstream in 2.0.8.

Mageia 6 is also affected.

David Walser 2018-03-28 13:23:57 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-03-30 17:47:59 CEST

Assigning to the Python stack maintainers, CC'ing the registered maintainer.

Assignee: bugsquad => python
CC: (none) => makowski.mageia, marja11

Comment 2 David Walser 2018-03-31 21:49:02 CEST

openSUSE and Fedora have issued advisories for this on March 24 and 30:
https://lists.opensuse.org/opensuse-updates/2018-03/msg00089.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LARLVBNA4RSS6S3OV3KVS5PZKZPSW6O5/

Comment 3 Philippe Makowski 2018-04-07 17:48:08 CEST

cauldron have 2.0.8 and mga6 too, seems that shlomif  is taking care of this one

Comment 4 David Walser 2018-04-07 18:20:43 CEST

Hmm, I never saw these on pkgsubmit.  This is the second time this has happened recently.

Advisory:
========================

Updated python-paramiko packages fix security vulnerability:

A flaw was found in the implementation of `transport.py` in Paramiko, which did
not properly check whether authentication was completed before processing other
requests. A customized SSH client could simply skip the authentication step
(CVE-2018-7750).

This flaw is a user authentication bypass in the SSH Server functionality of
Paramiko. Where Paramiko is used only for its client-side functionality (e.g.
`paramiko.SSHClient`), the vulnerability is not exposed and thus cannot be
exploited.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7750
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LARLVBNA4RSS6S3OV3KVS5PZKZPSW6O5/
========================

Updated packages in core/updates_testing:
========================
python-paramiko-2.0.8-1.mga6
python3-paramiko-2.0.8-1.mga6

from python-paramiko-2.0.8-1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Assignee: python => qa-bugs
Version: Cauldron => 6

Comment 5 Lewis Smith 2018-04-08 20:44:17 CEST

Background for starters

python-paramiko : SSH2 protocol for Python

$ urpmq --whatrequires python-paramiko | uniq
 ansible : SH-based configuration management, deployment, and task execution system
 bzrtools : A collection of utilities and plugins for Bazaar-NG (= bzr: Next-generation distributed version control)
 cloud-utils : Cloud image management utilities
 duplicity : see https://bugs.mageia.org/show_bug.cgi?id=20249
 fwbackups : Feature-rich user backup program   [Easiest?]
 mysql-workbench : A MySQL visual database modeling, administration, development and migration tool
 noethys : Software to handle "multi activity" centers
 patator : Multi-purpose brute-forcer
 python-x2go : A client-side X2go API for the Python programming language
 reviewboard : Web-based code review tool
Plenty of choice!

No PoC. The references talk about SSH2, so having that looks rather necessary.

Keywords: (none) => advisory

Comment 6 Len Lawrence 2018-04-13 20:46:26 CEST

Thanks for the pointers Lewis.  Testing this as soon as.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2018-04-14 02:12:26 CEST

Mageia 6, x86_64
This report is a bit lengthy - please bear with me.

$ rpm -qa | grep ssh2
lib64ssh2-devel-1.7.0-2.mga6
lib64ssh2_1-1.7.0-2.mga6
$ rpm -q python-paramiko
python-paramiko-2.0.0-1.mga6
duplicity, python-x2go and fwbackups installed.

Using python-x2go requires some x2go infrastructure including PyHoca-GUI, PyHoca-CLI and probably an x2go client/server setup so it would be best (aka easier) to follow the comment 5 suggestion and run backup software to test this.

The packages updated cleanly.

Although there are 57 packages on this machine which require python3 they do not include any of those listed in comment 5.  Furthermore
$ urpmq --whatrequires-recursive python3-paramiko
returns only python3-paramiko.
For instance,
$ urpmq --requires-recursive duplicity
mentions only python/python2 packages.
Hence we can assume that the following tests apply only to python-paramiko.
The python3 version is in place for whenever (if ever) python2.7 is dropped.  Everything is installed under /usr/lib/python3.5/site-packages/paramiko/.  It includes an extra subdirectory __pycache__ not seen under /usr/lib/python2.7...

Functionality test using duplicity
==================================
duplicity backs up directories using encrypted tar files.
Referred to the Ubuntu documentation for duplicity/ftp at https://help.ubuntu.com/community/DuplicityBackupHowto

Created a backup script:
export PASSPHRASE=itztuff4anewbie
duplicity /home/lcl/ruby scp://lcl:1ciaroltur@vega//data
unset PASSPHRASE
$ ./paramiko.sh
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: none
No signatures found, switching to full backup.
--------------[ Backup Statistics ]--------------
StartTime 1523663523.94 (Sat Apr 14 00:52:03 2018)
EndTime 1523663526.07 (Sat Apr 14 00:52:06 2018)
ElapsedTime 2.13 (2.13 seconds)
SourceFiles 2197
SourceFileSize 61492839 (58.6 MB)
NewFiles 2197
NewFileSize 61492839 (58.6 MB)
DeletedFiles 0
ChangedFiles 0
ChangedFileSize 0 (0 bytes)
ChangedDeltaSize 0 (0 bytes)
DeltaEntries 2197
RawDeltaSize 60628525 (57.8 MB)
TotalDestinationSizeChange 27165839 (25.9 MB)
Errors 0
-------------------------------------------------

Recovered an individual file from the remote backup using the passphrase originally set in the paramiko.sh script:
$ duplicity --file-to-restore musica/simpler.rb scp://lcl:1ciaroltur@vega//data tmp/simpler.rb
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: Sat Apr 14 00:52:03 2018
GnuPG passphrase: 
[lcl@difda ~]$ ll tmp/simpler.rb
-rwxr-xr-x 1 lcl lcl 26086 Oct 10  2016 tmp/simpler.rb*
[lcl@difda ~]$ ll ruby/musica/simpler.rb
-rwxr-xr-x 1 lcl lcl 26086 Oct 10  2016 ruby/musica/simpler.rb*


$ du -hs ruby
65M	ruby
Backup directory ruby to a local data disk.
$ duplicity /home/lcl/ruby file:///data/backups
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: none
GnuPG passphrase: 
Retype passphrase to confirm: 
No signatures found, switching to full backup.
--------------[ Backup Statistics ]--------------
StartTime 1523660652.57 (Sat Apr 14 00:04:12 2018)
EndTime 1523660654.69 (Sat Apr 14 00:04:14 2018)
ElapsedTime 2.12 (2.12 seconds)
SourceFiles 2197
SourceFileSize 61492839 (58.6 MB)
NewFiles 2197
NewFileSize 61492839 (58.6 MB)
DeletedFiles 0
ChangedFiles 0
ChangedFileSize 0 (0 bytes)
ChangedDeltaSize 0 (0 bytes)
DeltaEntries 2197
RawDeltaSize 60628525 (57.8 MB)
TotalDestinationSizeChange 27165835 (25.9 MB)
Errors 0
-------------------------------------------------

Logged in remotely to machine 'vega' and checked the /data directory.
$ ssh lcl@vega
Password: 
[lcl@vega ~]$ ls /data/duplicity*
duplicity-full.20180413T235203Z.manifest.gpg
duplicity-full.20180413T235203Z.vol1.difftar.gpg
duplicity-full-signatures.20180413T235203Z.sigtar.gpg

$ ll /data/backups/
total 27572
-rw------- 1 lcl lcl    11373 Apr 14 00:04 duplicity-full.20180413T230256Z.manifest.gpg
-rw------- 1 lcl lcl 27165835 Apr 14 00:04 duplicity-full.20180413T230256Z.vol1.difftar.gpg
-rw------- 1 lcl lcl  1052530 Apr 14 00:04 duplicity-full-signatures.20180413T230256Z.sigtar.gpg
$ duplicity verify file:///data/backups ruby
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: Sat Apr 14 00:02:56 2018
GnuPG passphrase: 
Verify complete: 2197 files compared, 0 differences found.

The following outputs a long list of files - displaying the tail end.
$ duplicity list-current-files file:///data/backups
...............................
Thu Aug 15 19:50:55 2013 weather/wed.rb
Tue Jul 23 22:28:38 2013 weather/wv.old
Wed May 20 09:58:38 2015 weather/wv.rb
Wed May 20 09:58:38 2015 weather/wv.rb~
Sun Feb  1 10:21:15 2009 weather/wv.tcl
Thu Jul 25 10:54:08 2013 weather/wv_rgb.rb
Wed May 20 09:50:30 2015 weather/wvtest.rb~
Wed Jan 28 13:04:47 2015 whisper.rb
Fri Jul  8 17:25:31 2016 wrap.rb
Mon Aug 23 11:16:54 2010 xosd
Mon Aug 23 11:16:54 2010 xosd/test.rb
$ duplicity list-current-files file:///data/backups | wc -l
2199

Don't know why there are more files there than quoted earlier (2157).

Recover an individual file from the backup.
$ duplicity --file-to-restore musica/simpler.rb file:///data/backups /tmp/simpler.rb
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: Sat Apr 14 00:02:56 2018
GnuPG passphrase: 
$ ll /tmp/simpler.rb
-rwxr-xr-x 1 lcl lcl 26086 Oct 10  2016 /tmp/simpler.rb*

Dated backups not tested - that involves using a switch of the form '-t nD'.
Example: '-t 4D' for the backup created four days ago.

Reckon this is OK.

Whiteboard: (none) => MGA6-64-OK

Len Lawrence 2018-04-14 08:20:08 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2018-04-15 15:34:45 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0204.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.