I have verified the fix using openssh-server from noble-proposed. I created a container and enable noble-proposed:
nr@six:~$ lxc launch ubuntu:noble noble Launching noble nr@six:~$ lxc exec noble bash root@noble:~# cat > /etc/apt/sources.list.d/proposed.sources << EOF > Types: deb > URIs: http://us.archive.ubuntu.com/ubuntu/ > Suites: noble-proposed > Components: main universe > Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg > EOF root@noble:~# apt update Hit:1 http://archive.ubuntu.com/ubuntu noble InRelease Hit:2 http://archive.ubuntu.com/ubuntu noble-updates InRelease Hit:3 http://archive.ubuntu.com/ubuntu noble-backports InRelease Hit:4 http://security.ubuntu.com/ubuntu noble-security InRelease Get:5 http://us.archive.ubuntu.com/ubuntu noble-proposed InRelease [265 kB] Get:6 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages [180 kB] Get:7 http://us.archive.ubuntu.com/ubuntu noble-proposed/main Translation-en [48.6 kB] Get:8 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Components [22.0 kB] Get:9 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 c-n-f Metadata [3556 B] Get:10 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 Packages [650 kB] Get:11 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe Translation-en [79.1 kB] Get:12 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 Components [68.0 kB] Get:13 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 c-n-f Metadata [10.7 kB] Fetched 1326 kB in 1s (1275 kB/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done 16 packages can be upgraded. Run 'apt list --upgradable' to see them. Then, I confirmed the bug was present with the CURRENT version: root@noble:~# echo "LogLevel DEBUG" >> /etc/ssh/sshd_config.d/log- level.conf In another terminal on my host, I ran: ssh ubuntu@10.19.111.212 to initiate a session. Then, back in the container: root@noble:~# journalctl -t sshd -b -f Oct 23 15:59:05 noble sshd[1283]: debug1: expecting SSH2_MSG_NEWKEYS [preauth] Oct 23 15:59:07 noble sshd[1283]: debug1: ssh_packet_read_poll2: resetting read seqnr 3 [preauth] Oct 23 15:59:07 noble sshd[1283]: debug1: SSH2_MSG_NEWKEYS received [preauth] Oct 23 15:59:07 noble sshd[1283]: debug1: rekey in after 134217728 blocks [preauth] Oct 23 15:59:07 noble sshd[1283]: debug1: KEX done [preauth] Oct 23 15:59:07 noble sshd[1283]: debug1: SSH2_MSG_EXT_INFO received [preauth] Oct 23 15:59:07 noble sshd[1283]: debug1: kex_ext_info_check_ver: ext-info-in-a...@openssh.com=<0> [preauth] Oct 23 15:59:08 noble sshd[1283]: debug1: userauth-request for user ubuntu service ssh-connection method none [preauth] Oct 23 15:59:08 noble sshd[1283]: debug1: attempt 0 failures 0 [preauth] Oct 23 15:59:08 noble sshd[1283]: debug1: PAM: initializing for "ubuntu" Oct 23 15:59:08 noble sshd[1283]: debug1: PAM: setting PAM_RHOST to "10.19.111.1" Oct 23 15:59:08 noble sshd[1283]: debug1: PAM: setting PAM_TTY to "ssh" Oct 23 15:59:08 noble sshd[1283]: debug1: kex_server_update_ext_info: Sending SSH2_MSG_EXT_INFO [preauth] Oct 23 15:59:08 noble sshd[1283]: debug1: userauth-request for user ubuntu service ssh-connection method publickey [preauth] Oct 23 15:59:08 noble sshd[1283]: debug1: attempt 1 failures 0 [preauth] Oct 23 15:59:08 noble sshd[1283]: debug1: userauth_pubkey: publickey test pkalg rsa-sha2-512 pkblob RSA SHA256:VMGz6tsZ02V9ratWlExePp9LaOe2qIr7SiWLHP2aGrM [preauth] Oct 23 15:59:08 noble sshd[1283]: debug1: temporarily_use_uid: 1000/1000 (e=0/0) Oct 23 15:59:08 noble sshd[1283]: debug1: trying public key file /home/ubuntu/.ssh/authorized_keys Oct 23 15:59:08 noble sshd[1283]: debug1: fd 3 clearing O_NONBLOCK Oct 23 15:59:08 noble sshd[1283]: debug1: /home/ubuntu/.ssh/authorized_keys:1: matching key found: RSA SHA256:VMGz6tsZ02V9ratWlExePp9LaOe2qIr7SiWLHP2aGrM Oct 23 15:59:08 noble sshd[1283]: debug1: /home/ubuntu/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding Oct 23 15:59:08 noble sshd[1283]: Accepted key RSA SHA256:VMGz6tsZ02V9ratWlExePp9LaOe2qIr7SiWLHP2aGrM found at /home/ubuntu/.ssh/authorized_keys:1 Oct 23 15:59:08 noble sshd[1283]: debug1: restore_uid: 0/0 Oct 23 15:59:08 noble sshd[1283]: Postponed publickey for ubuntu from 10.19.111.1 port 33742 ssh2 [preauth] Oct 23 15:59:08 noble sshd[1283]: debug1: userauth-request for user ubuntu service ssh-connection method publickey-hostbound-...@openssh.com [preauth] Oct 23 15:59:08 noble sshd[1283]: debug1: attempt 2 failures 0 [preauth] Oct 23 15:59:08 noble sshd[1283]: debug1: temporarily_use_uid: 1000/1000 (e=0/0) Oct 23 15:59:08 noble sshd[1283]: debug1: trying public key file /home/ubuntu/.ssh/authorized_keys Oct 23 15:59:08 noble sshd[1283]: debug1: fd 3 clearing O_NONBLOCK Oct 23 15:59:08 noble sshd[1283]: debug1: /home/ubuntu/.ssh/authorized_keys:1: matching key found: RSA SHA256:VMGz6tsZ02V9ratWlExePp9LaOe2qIr7SiWLHP2aGrM Oct 23 15:59:08 noble sshd[1283]: debug1: /home/ubuntu/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding Oct 23 15:59:08 noble sshd[1283]: Accepted key RSA SHA256:VMGz6tsZ02V9ratWlExePp9LaOe2qIr7SiWLHP2aGrM found at /home/ubuntu/.ssh/authorized_keys:1 Oct 23 15:59:08 noble sshd[1283]: debug1: restore_uid: 0/0 Oct 23 15:59:08 noble sshd[1283]: debug1: auth_activate_options: setting new authentication options Oct 23 15:59:08 noble sshd[1283]: debug1: do_pam_account: called Oct 23 15:59:08 noble sshd[1283]: Accepted publickey for ubuntu from 10.19.111.1 port 33742 ssh2: RSA SHA256:VMGz6tsZ02V9ratWlExePp9LaOe2qIr7SiWLHP2aGrM Oct 23 15:59:08 noble sshd[1283]: debug1: monitor_child_preauth: user ubuntu authenticated by privileged process Oct 23 15:59:08 noble sshd[1283]: debug1: auth_activate_options: setting new authentication options [preauth] Oct 23 15:59:08 noble sshd[1283]: debug1: monitor_read_log: child log fd closed Oct 23 15:59:08 noble sshd[1283]: debug1: PAM: establishing credentials Oct 23 15:59:08 noble sshd[1283]: pam_unix(sshd:session): session opened for user ubuntu(uid=1000) by ubuntu(uid=0) Oct 23 15:59:08 noble sshd[1300]: run-parts: /etc/update-motd.d/98-fsck-at-reboot exited with return code 2 Oct 23 15:59:08 noble sshd[1283]: User child is on pid 1351 Oct 23 15:59:08 noble sshd[1351]: debug1: SELinux support disabled Oct 23 15:59:08 noble sshd[1351]: debug1: PAM: establishing credentials Oct 23 15:59:08 noble sshd[1351]: debug1: permanently_set_uid: 1000/1000 Oct 23 15:59:08 noble sshd[1351]: debug1: rekey in after 134217728 blocks Oct 23 15:59:08 noble sshd[1351]: debug1: rekey out after 134217728 blocks Oct 23 15:59:08 noble sshd[1351]: debug1: ssh_packet_set_postauth: called Oct 23 15:59:08 noble sshd[1351]: debug1: active: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding Oct 23 15:59:08 noble sshd[1351]: debug1: Entering interactive session for SSH2. Oct 23 15:59:08 noble sshd[1351]: debug1: server_init_dispatch Oct 23 15:59:08 noble sshd[1351]: debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384 Oct 23 15:59:08 noble sshd[1351]: debug1: input_session_request Oct 23 15:59:08 noble sshd[1351]: debug1: channel 0: new session [server-session] (inactive timeout: 0) Oct 23 15:59:08 noble sshd[1351]: debug1: session_new: session 0 Oct 23 15:59:08 noble sshd[1351]: debug1: session_open: channel 0 Oct 23 15:59:08 noble sshd[1351]: debug1: session_open: session 0: link with channel 0 Oct 23 15:59:08 noble sshd[1351]: debug1: server_input_channel_open: confirm session Oct 23 15:59:08 noble sshd[1351]: debug1: server_input_global_request: rtype no-more-sessi...@openssh.com want_reply 0 Oct 23 15:59:08 noble sshd[1351]: debug1: server_input_global_request: rtype hostkeys-prove...@openssh.com want_reply 1 Oct 23 15:59:08 noble sshd[1351]: debug1: server_input_channel_req: channel 0 request pty-req reply 1 Oct 23 15:59:08 noble sshd[1351]: debug1: session_by_channel: session 0 channel 0 Oct 23 15:59:08 noble sshd[1351]: debug1: session_input_channel_req: session 0 req pty-req Oct 23 15:59:08 noble sshd[1351]: debug1: Allocating pty. Oct 23 15:59:08 noble sshd[1283]: debug1: session_new: session 0 Oct 23 15:59:08 noble sshd[1283]: debug1: SELinux support disabled Oct 23 15:59:08 noble sshd[1351]: debug1: session_pty_req: session 0 alloc /dev/pts/2 Oct 23 15:59:08 noble sshd[1351]: debug1: server_input_channel_req: channel 0 request env reply 0 Oct 23 15:59:08 noble sshd[1351]: debug1: session_by_channel: session 0 channel 0 Oct 23 15:59:08 noble sshd[1351]: debug1: session_input_channel_req: session 0 req env Oct 23 15:59:08 noble sshd[1351]: debug1: server_input_channel_req: channel 0 request shell reply 1 Oct 23 15:59:08 noble sshd[1351]: debug1: session_by_channel: session 0 channel 0 Oct 23 15:59:08 noble sshd[1351]: debug1: session_input_channel_req: session 0 req shell Oct 23 15:59:08 noble sshd[1351]: Starting session: shell on pts/2 for ubuntu from 10.19.111.1 port 33742 id 0 Oct 23 15:59:08 noble sshd[1352]: debug1: Setting controlling tty using TIOCSCTTY. ^C root@noble:~# journalctl -t sshd -b --grep "rexec start" root@noble:~# Then, I installed the new version, and confirmed the fix: root@noble:~# apt install -t noble-proposed openssh-server -y Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: openssh-client openssh-sftp-server Suggested packages: keychain libpam-ssh monkeysphere ssh-askpass molly-guard The following packages will be upgraded: openssh-client openssh-server openssh-sftp-server 3 upgraded, 0 newly installed, 0 to remove and 71 not upgraded. Need to get 1451 kB of archives. After this operation, 1024 B of additional disk space will be used. Get:1 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-sftp-server amd64 1:9.6p1-3ubuntu13.6 [37.3 kB] Get:2 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-server amd64 1:9.6p1-3ubuntu13.6 [509 kB] Get:3 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-client amd64 1:9.6p1-3ubuntu13.6 [905 kB] Fetched 1451 kB in 4s (372 kB/s) Preconfiguring packages ... (Reading database ... 34495 files and directories currently installed.) Preparing to unpack .../openssh-sftp-server_1%3a9.6p1-3ubuntu13.6_amd64.deb ... Unpacking openssh-sftp-server (1:9.6p1-3ubuntu13.6) over (1:9.6p1-3ubuntu13.5) ... Preparing to unpack .../openssh-server_1%3a9.6p1-3ubuntu13.6_amd64.deb ... Unpacking openssh-server (1:9.6p1-3ubuntu13.6) over (1:9.6p1-3ubuntu13.5) ... Preparing to unpack .../openssh-client_1%3a9.6p1-3ubuntu13.6_amd64.deb ... Unpacking openssh-client (1:9.6p1-3ubuntu13.6) over (1:9.6p1-3ubuntu13.5) ... Setting up openssh-client (1:9.6p1-3ubuntu13.6) ... Setting up openssh-sftp-server (1:9.6p1-3ubuntu13.6) ... Setting up openssh-server (1:9.6p1-3ubuntu13.6) ... Replacing config file /etc/ssh/sshd_config with new version Processing triggers for man-db (2.12.0-4build2) ... Processing triggers for ufw (0.36.2-6) ... Scanning processes... Scanning candidates... No services need to be restarted. No containers need to be restarted. User sessions running outdated binaries: ubuntu @ session #3217: sshd[1283] No VM guests are running outdated hypervisor (qemu) binaries on this host. root@noble:~# systemctl stop ssh.service Stopping 'ssh.service', but its triggering units are still active: ssh.socket In another terminal on my host, I ran: ssh ubuntu@10.19.111.212 to initiate a session. Then, back in the container: root@noble:~# journalctl -t sshd -b -f --grep "rexec start" Oct 23 16:00:51 noble sshd[1833]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 ** Tags removed: verification-needed verification-needed-noble ** Tags added: verification-done verification-done-noble -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2071815 Title: Investigate ASLR re-randomization being disabled for children Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Noble: Fix Committed Bug description: [Impact] The systemd-socket-activation.patch patch has an Ubuntu delta to fix bug 2011458, but this results in ASLR not being re-randomized for children because the patch delta does "rexec_flag = 0;". This was discovered as part of the CVE-2024-6387 discovery by Qualys, and is mentioned in the disclosure itself: Side note: we discovered that Ubuntu 24.04 does not re-randomize the ASLR of its sshd children (it is randomized only once, at boot time); we tracked this down to the patch below, which turns off sshd's rexec_flag. This is generally a bad idea, but in the particular case of this signal handler race condition, it prevents sshd from being exploitable: the syslog() inside the SIGALRM handler does not call any of the malloc functions, because it is never the very first call to syslog(). This is also mentioned in the release notes of OpenSSH 9.8: Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes - this is a thing, no - we don't understand why) may potentially have an easier path to exploitation. We should investigate why that was needed, and if an alternative way of fixing the original bug can be done. [Test Plan] We just want to test that when a connection is accepted by sshd, the child process re-execs. There is a log message at the debug level from sshd when this happens. 1. Enable debug-level logging in sshd: $ echo "LogLevel DEBUG" >> /etc/ssh/sshd_config.d/log-level.conf 2. Watch the logs: $ journalctl -t sshd -b -f 3. From another host, connect to the test machine: $ ssh <user>@<test host> 4. On the test machine, among other messages, there should be a message noting the start of the re-exec, e.g.: sshd[2212]: debug1: rexec start in 6 out 6 newsock 6 pipe 8 sock 9 [Where problems could occur] Through the iterations of d/p/systemd-socket-activation.patch, there have been issues related to the re-exec behavior, and how the listen fds passed by systemd are handled. See [1][2] for examples. This patch hopes to finally resolve these issues. However, as was the case with previous bugs in this area, problems would most likely be related to incorrectly closing, or not closing, socket fds in sshd. [1] https://bugs.launchpad.net/bugs/2020474 [2] https://bugs.launchpad.net/bugs/2011458 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2071815/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
