--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: dropb...@packages.debian.org
Control: affects -1 + src:dropbear
[ Reason ]
dropbear 2022.83-1 is vunerable to CVE-2023-48795 (terrapin attack).
https://terrapin-attack.com/
Based on https://bugs.debian.org/1059001 the security team argued this
didn't warrant a CVE, and suggested to go via s-pu instead.
[ Impact ]
Bookworm users will remain vulnerable to CVE-2023-48795. Details about
what that entails has been discussed on the upstream bug tracker at
https://github.com/mkj/dropbear/issues/270 , where one the terrapin
finder wrote that
| While it is true that not sending server-sig-algs does not prevent the
| client from trying SHA2-based RSA signatures, we observed the suggested
| behavior (preferring SHA-1 over SHA-2 when server-sig-algs is missing)
| in a wide variety of SSH clients. Also, the order of algorithms in
| server-sig-algs is used by some clients in case multiple private keys
| are present, potentially leading to downgrades as well.
|
| However, we do not consider this application of the Terrapin attack to
| have a significant impact. Instead, our main concern is the combination
| of Terrapin with implementation bugs, as seen in AsyncSSH. We evaluated
| only a handful of SSH implementations, where one already allowed for
| in-session man-in-the-middle attacks. Given the wide variety of SSH
| implementations, one can estimate with sufficient probability that other
| implementations face similar issues.
[ Tests ]
I checked the updated dropbear SSHd/dbclient against the Terrapin
scanner.
[ Risks ]
Risk is low: the patch comes from upstream and applied cleanly (no
upstream version was released since Bookworm was released).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Implement Strict KEX mode to fix CVE-2023-48795 (terrapin attack).
--
Guilhem.
diffstat for dropbear-2022.83 dropbear-2022.83
changelog | 11 ++
patches/CVE-2023-48795.patch | 232 +++++++++++++++++++++++++++++++++++++++++++
patches/series | 1
salsa-ci.yml | 8 +
4 files changed, 252 insertions(+)
diff -Nru dropbear-2022.83/debian/changelog dropbear-2022.83/debian/changelog
--- dropbear-2022.83/debian/changelog 2022-11-14 22:16:35.000000000 +0100
+++ dropbear-2022.83/debian/changelog 2024-01-26 10:01:00.000000000 +0100
@@ -1,3 +1,14 @@
+dropbear (2022.83-1+deb12u1) bookworm; urgency=medium
+
+ * Fix CVE-2023-48795: (terrapin attack): The SSH transport protocol with
+ certain OpenSSH extensions allows remote attackers to bypass integrity
+ checks such that some packets are omitted (from the extension negotiation
+ message), and a client and server may consequently end up with a
+ connection for which some security features have been downgraded or
+ disabled, aka a Terrapin attack. (Closes: #1059001)
+
+ -- Guilhem Moulin <guil...@debian.org> Fri, 26 Jan 2024 10:01:00 +0100
+
dropbear (2022.83-1) unstable; urgency=medium
* New upstream release 2022.83. Support for ssh-dss (DSA) host and user
diff -Nru dropbear-2022.83/debian/patches/CVE-2023-48795.patch
dropbear-2022.83/debian/patches/CVE-2023-48795.patch
--- dropbear-2022.83/debian/patches/CVE-2023-48795.patch 1970-01-01
01:00:00.000000000 +0100
+++ dropbear-2022.83/debian/patches/CVE-2023-48795.patch 2024-01-26
10:01:00.000000000 +0100
@@ -0,0 +1,232 @@
+From: Matt Johnston <m...@ucc.asn.au>
+Date: Mon, 20 Nov 2023 14:02:47 +0800
+Subject: Implement Strict KEX mode
+
+As specified by OpenSSH with kex-strict-c-...@openssh.com and
+kex-strict-s-...@openssh.com.
+
+Origin:
https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-48795
+Bug-Debian: https://bugs.debian.org/1059001
+---
+ cli-session.c | 11 +++++++++++
+ common-algo.c | 6 ++++++
+ common-kex.c | 26 +++++++++++++++++++++++++-
+ kex.h | 3 +++
+ process-packet.c | 34 +++++++++++++++++++---------------
+ ssh.h | 4 ++++
+ svr-session.c | 3 +++
+ 7 files changed, 71 insertions(+), 16 deletions(-)
+
+diff --git a/cli-session.c b/cli-session.c
+index 5981b24..d261c8f 100644
+--- a/cli-session.c
++++ b/cli-session.c
+@@ -46,6 +46,7 @@ static void cli_finished(void) ATTRIB_NORETURN;
+ static void recv_msg_service_accept(void);
+ static void cli_session_cleanup(void);
+ static void recv_msg_global_request_cli(void);
++static void cli_algos_initialise(void);
+
+ struct clientsession cli_ses; /* GLOBAL */
+
+@@ -117,6 +118,7 @@ void cli_session(int sock_in, int sock_out, struct
dropbear_progress_connection
+ }
+
+ chaninitialise(cli_chantypes);
++ cli_algos_initialise();
+
+ /* Set up cli_ses vars */
+ cli_session_init(proxy_cmd_pid);
+@@ -487,3 +489,12 @@ void cli_dropbear_log(int priority, const char* format,
va_list param) {
+ fflush(stderr);
+ }
+
++static void cli_algos_initialise(void) {
++ algo_type *algo;
++ for (algo = sshkex; algo->name; algo++) {
++ if (strcmp(algo->name, SSH_STRICT_KEX_S) == 0) {
++ algo->usable = 0;
++ }
++ }
++}
++
+diff --git a/common-algo.c b/common-algo.c
+index 378f0ca..f9d46eb 100644
+--- a/common-algo.c
++++ b/common-algo.c
+@@ -307,6 +307,12 @@ algo_type sshkex[] = {
+ /* Set unusable by svr_algos_initialise() */
+ {SSH_EXT_INFO_C, 0, NULL, 1, NULL},
+ #endif
++#endif
++#if DROPBEAR_CLIENT
++ {SSH_STRICT_KEX_C, 0, NULL, 1, NULL},
++#endif
++#if DROPBEAR_SERVER
++ {SSH_STRICT_KEX_S, 0, NULL, 1, NULL},
+ #endif
+ {NULL, 0, NULL, 0, NULL}
+ };
+diff --git a/common-kex.c b/common-kex.c
+index ac88442..8e33b12 100644
+--- a/common-kex.c
++++ b/common-kex.c
+@@ -183,6 +183,10 @@ void send_msg_newkeys() {
+ gen_new_keys();
+ switch_keys();
+
++ if (ses.kexstate.strict_kex) {
++ ses.transseq = 0;
++ }
++
+ TRACE(("leave send_msg_newkeys"))
+ }
+
+@@ -193,7 +197,11 @@ void recv_msg_newkeys() {
+
+ ses.kexstate.recvnewkeys = 1;
+ switch_keys();
+-
++
++ if (ses.kexstate.strict_kex) {
++ ses.recvseq = 0;
++ }
++
+ TRACE(("leave recv_msg_newkeys"))
+ }
+
+@@ -550,6 +558,10 @@ void recv_msg_kexinit() {
+
+ ses.kexstate.recvkexinit = 1;
+
++ if (ses.kexstate.strict_kex && !ses.kexstate.donefirstkex &&
ses.recvseq != 1) {
++ dropbear_exit("First packet wasn't kexinit");
++ }
++
+ TRACE(("leave recv_msg_kexinit"))
+ }
+
+@@ -859,6 +871,18 @@ static void read_kex_algos() {
+ }
+ #endif
+
++ if (!ses.kexstate.donefirstkex) {
++ const char* strict_name;
++ if (IS_DROPBEAR_CLIENT) {
++ strict_name = SSH_STRICT_KEX_S;
++ } else {
++ strict_name = SSH_STRICT_KEX_C;
++ }
++ if (buf_has_algo(ses.payload, strict_name) == DROPBEAR_SUCCESS)
{
++ ses.kexstate.strict_kex = 1;
++ }
++ }
++
+ algo = buf_match_algo(ses.payload, sshkex, kexguess2, &goodguess);
+ allgood &= goodguess;
+ if (algo == NULL || algo->data == NULL) {
+diff --git a/kex.h b/kex.h
+index 77cf21a..7fcc3c2 100644
+--- a/kex.h
++++ b/kex.h
+@@ -83,6 +83,9 @@ struct KEXState {
+
+ unsigned our_first_follows_matches : 1;
+
++ /* Boolean indicating that strict kex mode is in use */
++ unsigned int strict_kex;
++
+ time_t lastkextime; /* time of the last kex */
+ unsigned int datatrans; /* data transmitted since last kex */
+ unsigned int datarecv; /* data received since last kex */
+diff --git a/process-packet.c b/process-packet.c
+index 9454160..133a152 100644
+--- a/process-packet.c
++++ b/process-packet.c
+@@ -44,6 +44,7 @@ void process_packet() {
+
+ unsigned char type;
+ unsigned int i;
++ unsigned int first_strict_kex = ses.kexstate.strict_kex &&
!ses.kexstate.donefirstkex;
+ time_t now;
+
+ TRACE2(("enter process_packet"))
+@@ -54,22 +55,24 @@ void process_packet() {
+ now = monotonic_now();
+ ses.last_packet_time_keepalive_recv = now;
+
+- /* These packets we can receive at any time */
+- switch(type) {
+
+- case SSH_MSG_IGNORE:
+- goto out;
+- case SSH_MSG_DEBUG:
+- goto out;
++ if (type == SSH_MSG_DISCONNECT) {
++ /* Allowed at any time */
++ dropbear_close("Disconnect received");
++ }
+
+- case SSH_MSG_UNIMPLEMENTED:
+- /* debugging XXX */
+- TRACE(("SSH_MSG_UNIMPLEMENTED"))
+- goto out;
+-
+- case SSH_MSG_DISCONNECT:
+- /* TODO cleanup? */
+- dropbear_close("Disconnect received");
++ /* These packets may be received at any time,
++ except during first kex with strict kex */
++ if (!first_strict_kex) {
++ switch(type) {
++ case SSH_MSG_IGNORE:
++ goto out;
++ case SSH_MSG_DEBUG:
++ goto out;
++ case SSH_MSG_UNIMPLEMENTED:
++ TRACE(("SSH_MSG_UNIMPLEMENTED"))
++ goto out;
++ }
+ }
+
+ /* Ignore these packet types so that keepalives don't interfere with
+@@ -98,7 +101,8 @@ void process_packet() {
+ if (type >= 1 && type <= 49
+ && type != SSH_MSG_SERVICE_REQUEST
+ && type != SSH_MSG_SERVICE_ACCEPT
+- && type != SSH_MSG_KEXINIT)
++ && type != SSH_MSG_KEXINIT
++ && !first_strict_kex)
+ {
+ TRACE(("unknown allowed packet during kexinit"))
+ recv_unimplemented();
+diff --git a/ssh.h b/ssh.h
+index 1b4fec6..ef3efdc 100644
+--- a/ssh.h
++++ b/ssh.h
+@@ -100,6 +100,10 @@
+ #define SSH_EXT_INFO_C "ext-info-c"
+ #define SSH_SERVER_SIG_ALGS "server-sig-algs"
+
++/* OpenSSH strict KEX feature */
++#define SSH_STRICT_KEX_S "kex-strict-s-...@openssh.com"
++#define SSH_STRICT_KEX_C "kex-strict-c-...@openssh.com"
++
+ /* service types */
+ #define SSH_SERVICE_USERAUTH "ssh-userauth"
+ #define SSH_SERVICE_USERAUTH_LEN 12
+diff --git a/svr-session.c b/svr-session.c
+index 769f073..a538e2c 100644
+--- a/svr-session.c
++++ b/svr-session.c
+@@ -370,6 +370,9 @@ static void svr_algos_initialise(void) {
+ algo->usable = 0;
+ }
+ #endif
++ if (strcmp(algo->name, SSH_STRICT_KEX_C) == 0) {
++ algo->usable = 0;
++ }
+ }
+ }
+
diff -Nru dropbear-2022.83/debian/patches/series
dropbear-2022.83/debian/patches/series
--- dropbear-2022.83/debian/patches/series 2022-11-14 22:16:35.000000000
+0100
+++ dropbear-2022.83/debian/patches/series 2024-01-26 10:01:00.000000000
+0100
@@ -1,3 +1,4 @@
fix-FTBFS-on-hurd-i386.patch
support-running-test_aslr-without-venv.patch
raise-connection-delay-in-tests.patch
+CVE-2023-48795.patch
diff -Nru dropbear-2022.83/debian/salsa-ci.yml
dropbear-2022.83/debian/salsa-ci.yml
--- dropbear-2022.83/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000
+0100
+++ dropbear-2022.83/debian/salsa-ci.yml 2024-01-26 10:01:00.000000000
+0100
@@ -0,0 +1,8 @@
+---
+include:
+ -
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+ RELEASE: 'bookworm'
+ SALSA_CI_DISABLE_REPROTEST: 1
+ SALSA_CI_DISABLE_LINTIAN: 1
signature.asc
Description: PGP signature
--- End Message ---
