=========================
We plan on retiring more legacy cryptography in a near-future
release, specifically:
* Refusing all RSA keys smaller than 1024 bits (the current minimum
is 768 bits)
This list reflects our current intentions, but please check the final
release notes for future releases.
Potentially-incompatible changes
================================
This release disables a number of legacy cryptographic algorithms
by default in ssh:
* Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants
and the rijndael-cbc aliases for AES.
* MD5-based and truncated HMAC algorithms.
These algorithms are already disabled by default in sshd.
Changes since OpenSSH 7.1p2
===========================
This is primarily a bugfix release.
Security
--------
* ssh(1), sshd(8): remove unfinished and unused roaming code (was
already forcibly disabled in OpenSSH 7.1p2).
* ssh(1): eliminate fallback from untrusted X11 forwarding to
trusted forwarding when the X server disables the SECURITY
extension.
* ssh(1), sshd(8): increase the minimum modulus size supported for
diffie-hellman-group-exchange to 2048 bits.
* sshd(8): pre-auth sandboxing is now enabled by default (previous
releases enabled it for new installations via sshd_config).
New Features
------------
* all: add support for RSA signatures using SHA-256/512 hash
algorithms based on draft-rsa-dsa-sha2-256-03.txt and
draft-ssh-ext-info-04.txt.
* ssh(1): Add an AddKeysToAgent client option which can be set to
'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When
enabled, a private key that is used during authentication will be
added to ssh-agent if it is running (with confirmation enabled if
set to 'confirm').
* sshd(8): add a new authorized_keys option "restrict" that includes
all current and future key restrictions (no-*-forwarding, etc.).
Also add permissive versions of the existing restrictions, e.g.
"no-pty" -> "pty". This simplifies the task of setting up
restricted keys and ensures they are maximally-restricted,
regardless of any permissions we might implement in the future.
* ssh(1): add ssh_config CertificateFile option to explicitly list
certificates. bz#2436
* ssh-keygen(1): allow ssh-keygen to change the key comment for all
supported formats.
* ssh-keygen(1): allow fingerprinting from standard input, e.g.
"ssh-keygen -lf -"
* ssh-keygen(1): allow fingerprinting multiple public keys in a
file, e.g. "ssh-keygen -lf ~/.ssh/authorized_keys" bz#1319
* sshd(8): support "none" as an argument for sshd_config
Foreground and ChrootDirectory. Useful inside Match blocks to
override a global default. bz#2486
* ssh-keygen(1): support multiple certificates (one per line) and
reading from standard input (using "-f -") for "ssh-keygen -L"
* ssh-keyscan(1): add "ssh-keyscan -c ..." flag to allow fetching
certificates instead of plain keys.
* ssh(1): better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
hostname canonicalisation - treat them as already canonical and
remove the trailing '.' before matching ssh_config.
Bugfixes
--------
* sftp(1): existing destination directories should not terminate
recursive uploads (regression in openssh 6.8) bz#2528
* ssh(1), sshd(8): correctly send back SSH2_MSG_UNIMPLEMENTED
replies to unexpected messages during key exchange. bz#2949
* ssh(1): refuse attempts to set ConnectionAttempts=0, which does
not make sense and would cause ssh to print an uninitialised stack
variable. bz#2500
* ssh(1): fix errors when attempting to connect to scoped IPv6
addresses with hostname canonicalisation enabled.
* sshd_config(5): list a couple more options usable in Match blocks.
bz#2489
* sshd(8): fix "PubkeyAcceptedKeyTypes +..." inside a Match block.
* ssh(1): expand tilde characters in filenames passed to -i options
before checking whether or not the identity file exists. Avoids
confusion for cases where shell doesn't expand (e.g. "-i ~/file"
vs. "-i~/file"). bz#2481
* ssh(1): do not prepend "exec" to the shell command run by "Match
exec" in a config file, which could cause some commands to fail
in certain environments. bz#2471
* ssh-keyscan(1): fix output for multiple hosts/addrs on one line
when host hashing or a non standard port is in use bz#2479
* sshd(8): skip "Could not chdir to home directory" message when
ChrootDirectory is active. bz#2485
* ssh(1): include PubkeyAcceptedKeyTypes in ssh -G config dump.
* sshd(8): avoid changing TunnelForwarding device flags if they are
already what is needed; makes it possible to use tun/tap
networking as non-root user if device permissions and interface
flags are pre-established
* ssh(1), sshd(8): RekeyLimits could be exceeded by one packet.
bz#2521
* ssh(1): fix multiplexing master failure to notice client exit.
* ssh(1), ssh-agent(1): avoid fatal() for PKCS11 tokens that present
empty key IDs. bz#1773
* sshd(8): avoid printf of NULL argument. bz#2535
* ssh(1), sshd(8): allow RekeyLimits larger than 4GB. bz#2521
* ssh-keygen(1): sshd(8): fix several bugs in (unused) KRL signature
support.
* ssh(1), sshd(8): fix connections with peers that use the key
exchange guess feature of the protocol. bz#2515
* sshd(8): include remote port number in log messages. bz#2503
* ssh(1): don't try to load SSHv1 private key when compiled without
SSHv1 support. bz#2505
* ssh-agent(1), ssh(1): fix incorrect error messages during key
loading and signing errors. bz#2507
* ssh-keygen(1): don't leave empty temporary files when performing
known_hosts file edits when known_hosts doesn't exist.
* sshd(8): correct packet format for tcpip-forward replies for
requests that don't allocate a port bz#2509
* ssh(1), sshd(8): fix possible hang on closed output. bz#2469
* ssh(1): expand %i in ControlPath to UID. bz#2449
* ssh(1), sshd(8): fix return type of openssh_RSA_verify. bz#2460
* ssh(1), sshd(8): fix some option parsing memory leaks. bz#2182
* ssh(1): add a some debug output before DNS resolution; it's a
place where ssh could previously silently stall in cases of
unresponsive DNS servers. bz#2433
* ssh(1): remove spurious newline in visual hostkey. bz#2686
* ssh(1): fix printing (ssh -G ...) of HostKeyAlgorithms=+...
* ssh(1): fix expansion of HostkeyAlgorithms=+...
Documentation
-------------
* ssh_config(5), sshd_config(5): update default algorithm lists to
match current reality. bz#2527
* ssh(1): mention -Q key-plain and -Q key-cert query options.
bz#2455
* sshd_config(8): more clearly describe what AuthorizedKeysFile=none
does.
* ssh_config(5): better document ExitOnForwardFailure. bz#2444
* sshd(5): mention internal DH-GEX fallback groups in manual.
bz#2302
* sshd_config(5): better description for MaxSessions option.
bz#2531
Portability
-----------
* ssh(1), sftp-server(8), ssh-agent(1), sshd(8): Support Illumos/
Solaris fine-grained privileges. Including a pre-auth privsep
sandbox and several pledge() emulations. bz#2511
* Renovate redhat/openssh.spec, removing deprecated options and
syntax.
* configure: allow --without-ssl-engine with --without-openssl
* sshd(8): fix multiple authentication using S/Key. bz#2502
* sshd(8): read back from libcrypto RAND_* before dropping
privileges. Avoids sandboxing violations with BoringSSL.
* Fix name collision with system-provided glob(3) functions.
bz#2463
* Adapt Makefile to use ssh-keygen -A when generating host keys.
bz#2459
* configure: correct default value for --with-ssh1 bz#2457
* configure: better detection of _res symbol bz#2259
* support getrandom() syscall on Linux
=========================================
NOTE: With this update, OpenSSL is disabling the SSLv2 protocol by default, as
well as removing SSLv2 EXPORT ciphers. We strongly advise against the use of
SSLv2 due not only to the issues described below, but to the other known
deficiencies in the protocol as described at
https://tools.ietf.org/html/rfc6176
Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
================================================================
Severity: High
A cross-protocol attack was discovered that could lead to decryption of TLS
sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
Bleichenbacher RSA padding oracle. Note that traffic between clients and
non-vulnerable servers can be decrypted provided another server supporting
SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or
POP) shares the RSA keys of the non-vulnerable server. This vulnerability is
known as DROWN (CVE-2016-0800).
Recovering one session key requires the attacker to perform approximately 2^50
computation, as well as thousands of connections to the affected server. A more
efficient variant of the DROWN attack exists against unpatched OpenSSL servers
using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on
19/Mar/2015 (see CVE-2016-0703 below).
Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS
servers, if they've not done so already. Disabling all SSLv2 ciphers is also
sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and
1.0.2f) have been deployed. Servers that have not disabled the SSLv2 protocol,
and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2
ciphers are nominally disabled, because malicious clients can force the use of
SSLv2 with EXPORT ciphers.
OpenSSL 1.0.2g and 1.0.1s deploy the following mitigation against DROWN:
SSLv2 is now by default disabled at build-time. Builds that are not configured
with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will
need to explicitly call either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
as appropriate. Even if either of those is used, or the application explicitly
uses the version-specific SSLv2_method() or its client or server variants,
SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed.
Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no
longer available.
In addition, weak ciphers in SSLv3 and up are now disabled in default builds of
OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will
not provide any "EXPORT" or "LOW" strength ciphers.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was reported to OpenSSL on December 29th 2015 by Nimrod Aviram and
Sebastian Schinzel. The fix was developed by Viktor Dukhovni and Matt Caswell
of OpenSSL.
Double-free in DSA code (CVE-2016-0705)
=======================================
Severity: Low
A double free bug was discovered when OpenSSL parses malformed DSA private keys
and could lead to a DoS attack or memory corruption for applications that
receive DSA private keys from untrusted sources. This scenario is considered
rare.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was reported to OpenSSL on February 7th 2016 by Adam Langley
(Google/BoringSSL) using libFuzzer. The fix was developed by Dr Stephen Henson
of OpenSSL.
Memory leak in SRP database lookups (CVE-2016-0798)
===================================================
Severity: Low
The SRP user database lookup method SRP_VBASE_get_by_user had
confusing memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no way of
distinguishing these two cases.
Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection. Servers that do not configure SRP, or
configure SRP but do not configure a seed are not vulnerable.
In Apache, the seed directive is known as SSLSRPUnknownUserSeed.
To mitigate the memory leak, the seed handling in
SRP_VBASE_get_by_user is now disabled even if the user has configured
a seed. Applications are advised to migrate to
SRP_VBASE_get1_by_user. However, note that OpenSSL makes no strong
guarantees about the indistinguishability of valid and invalid
logins. In particular, computations are currently not carried out in
constant time.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was discovered on February 23rd 2016 by Emilia Käsper of
the OpenSSL development team. Emilia Käsper also developed the fix.
BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
======================================================================
Severity: Low
In the BN_hex2bn function the number of hex digits is calculated using an int
value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values
of |i| this can result in |bn_expand| not allocating any memory because |i * 4|
is negative. This can leave the internal BIGNUM data field as NULL leading to a
subsequent NULL ptr deref. For very large values of |i|, the calculation |i * 4|
could be a positive value smaller than |i|. In this case memory is allocated to
the internal BIGNUM data field, but it is insufficiently sized leading to heap
corruption. A similar issue exists in BN_dec2bn. This could have security
consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with
very large untrusted hex/dec data. This is anticipated to be a rare occurrence.
All OpenSSL internal usage of these functions use data that is not expected to
be untrusted, e.g. config file data or application command line arguments. If
user developed applications generate config file data based on untrusted data
then it is possible that this could also lead to security consequences. This is
also anticipated to be rare.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was reported to OpenSSL on February 19th 2016 by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.
Fix memory issues in BIO_*printf functions (CVE-2016-0799)
==========================================================
Severity: Low
The internal |fmtstr| function used in processing a "%s" format string in the
BIO_*printf functions could overflow while calculating the length of a string
and cause an OOB read when printing very long strings.
Additionally the internal |doapr_outch| function can attempt to write to an OOB
memory location (at an offset from the NULL pointer) in the event of a memory
allocation failure. In 1.0.2 and below this could be caused where the size of a
buffer to be allocated is greater than INT_MAX. E.g. this could be in processing
a very long "%s" format string. Memory leaks can also occur.
The first issue may mask the second issue dependent on compiler behaviour.
These problems could enable attacks where large amounts of untrusted data is
passed to the BIO_*printf functions. If applications use these functions in this
way then they could be vulnerable. OpenSSL itself uses these functions when
printing out human-readable dumps of ASN.1 data. Therefore applications that
print this data could be vulnerable if the data is from untrusted sources.
OpenSSL command line applications could also be vulnerable where they print out
ASN.1 data, or if untrusted data is passed as command line arguments.
Libssl is not considered directly vulnerable. Additionally certificates etc
received via remote connections via libssl are also unlikely to be able to
trigger these issues because of message size limits enforced within libssl.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was reported to OpenSSL on February 23rd by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.
Side channel attack on modular exponentiation (CVE-2016-0702)
=============================================================
Severity: Low
A side-channel attack was found which makes use of cache-bank conflicts on the
Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA
keys. The ability to exploit this issue is limited as it relies on an attacker
who has control of code in a thread running on the same hyper-threaded core as
the victim thread which is performing decryptions.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was reported to OpenSSL on Jan 8th 2016 by Yuval Yarom, The
University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv
University, and Nadia Heninger, University of Pennsylvania with more
information at http://cachebleed.info. The fix was developed by Andy Polyakov
of OpenSSL.
Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
================================================================
Severity: High
This issue only affected versions of OpenSSL prior to March 19th 2015 at which
time the code was refactored to address vulnerability CVE-2015-0293.
s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If
clear-key bytes are present for these ciphers, they *displace* encrypted-key
bytes. This leads to an efficient divide-and-conquer key recovery attack: if an
eavesdropper has intercepted an SSLv2 handshake, they can use the server as an
oracle to determine the SSLv2 master-key, using only 16 connections to the
server and negligible computation.
More importantly, this leads to a more efficient version of DROWN that is
effective against non-export ciphersuites, and requires no significant
computation.
This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all
earlier versions. It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf
(released March 19th 2015).
This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J.
Alex Halderman of the University of Michigan. The underlying defect had by
then already been fixed by Emilia Käsper of OpenSSL on March 4th 2015. The fix
for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d
(1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf).
Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
==============================================
Severity: Moderate
This issue only affected versions of OpenSSL prior to March 19th 2015 at which
time the code was refactored to address the vulnerability CVE-2015-0293.
s2_srvr.c overwrite the wrong bytes in the master-key when applying
Bleichenbacher protection for export cipher suites. This provides a
Bleichenbacher oracle, and could potentially allow more efficient variants of
the DROWN attack.
This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all
earlier versions. It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf
(released March 19th 2015).
This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J.
Alex Halderman of the University of Michigan. The underlying defect had by
then already been fixed by Emilia Käsper of OpenSSL on March 4th 2015. The fix
for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d
(1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf).
Note
====
As per our previous announcements and our Release Strategy
(https://www.openssl.org/policies/releasestrat.html), support for OpenSSL
version 1.0.1 will cease on 31st December 2016. No security updates for that
version will be provided after that date. Users of 1.0.1 are advised to
upgrade.
Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those
versions are no longer receiving security updates.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20160301.txt
Note: the online version of the advisory may be updated with additional details
over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
_______________
Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
*) Protection for DH small subgroup attacks
As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been
switched on by default and cannot be disabled. This could have some
performance impact.
[Matt Caswell]
*) SSLv2 doesn't block disabled ciphers
A malicious client can negotiate SSLv2 ciphers that have been disabled on
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
been disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.
This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
and Sebastian Schinzel.
(CVE-2015-3197)
[Viktor Dukhovni]
*) Reject DH handshakes with parameters shorter than 1024 bits.
[Kurt Roeckx]
OpenSSL Security Advisory [3 Dec 2015] - Updated [4 Dec 2015]
=============================================================
[Updated 4 Dec 2015]: This advisory has been updated to include the details of
CVE-2015-1794, a Low severity issue affecting OpenSSL 1.0.2 which had a fix
included in the released packages but was missed from the advisory text.
NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE
0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS
PER PREVIOUS ANNOUNCEMENTS). USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS.
BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
==================================================================
Severity: Moderate
There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
as a result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH are considered just feasible (although very
difficult) because most of the work necessary to deduce information
about a private key may be performed offline. The amount of resources
required for such an attack would be very significant and likely only
accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur by
default in OpenSSL DHE based SSL/TLS ciphersuites.
This issue affects OpenSSL version 1.0.2.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
This issue was reported to OpenSSL on August 13 2015 by Hanno
Böck. The fix was developed by Andy Polyakov of the OpenSSL
development team.
Certificate verify crash with missing PSS parameter (CVE-2015-3194)
===================================================================
Severity: Moderate
The signature verification routines will crash with a NULL pointer dereference
if presented with an ASN.1 signature using the RSA PSS algorithm and absent
mask generation function parameter. Since these routines are used to verify
certificate signature algorithms this can be used to crash any certificate
verification operation and exploited in a DoS attack. Any application which
performs certificate verification is vulnerable including OpenSSL clients and
servers which enable client authentication.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q
This issue was reported to OpenSSL on August 27 2015 by Loïc Jonas Etienne
(Qnective AG). The fix was developed by Dr. Stephen Henson of the OpenSSL
development team.
X509_ATTRIBUTE memory leak (CVE-2015-3195)
==========================================
Severity: Moderate
When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
memory. This structure is used by the PKCS#7 and CMS routines so any
application which reads PKCS#7 or CMS data from untrusted sources is affected.
SSL/TLS is not affected.
This issue affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q
OpenSSL 1.0.0 users should upgrade to 1.0.0t
OpenSSL 0.9.8 users should upgrade to 0.9.8zh
This issue was reported to OpenSSL on November 9 2015 by Adam Langley
(Google/BoringSSL) using libFuzzer. The fix was developed by Dr. Stephen
Henson of the OpenSSL development team.
Race condition handling PSK identify hint (CVE-2015-3196)
=========================================================
Severity: Low
If PSK identity hints are received by a multi-threaded client then
the values are wrongly updated in the parent SSL_CTX structure. This can
result in a race condition potentially leading to a double free of the
identify hint data.
This issue was fixed in OpenSSL 1.0.2d and 1.0.1p but has not been previously
listed in an OpenSSL security advisory. This issue also affects OpenSSL 1.0.0
and has not been previously fixed in an OpenSSL 1.0.0 release.
OpenSSL 1.0.2 users should upgrade to 1.0.2d
OpenSSL 1.0.1 users should upgrade to 1.0.1p
OpenSSL 1.0.0 users should upgrade to 1.0.0t
The fix for this issue can be identified in the OpenSSL git repository by commit
ids 3c66a669dfc7 (1.0.2), d6be3124f228 (1.0.1) and 1392c238657e (1.0.0).
The fix was developed by Dr. Stephen Henson of the OpenSSL development team.
Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)
============================================================
Severity: Low
If a client receives a ServerKeyExchange for an anonymous DH ciphersuite with
the value of p set to 0 then a seg fault can occur leading to a possible denial
of service attack.
This issue affects OpenSSL version 1.0.2.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
This issue was reported to OpenSSL on August 3 2015 by Guy Leaver (Cisco). The
fix was developed by Matt Caswell of the OpenSSL development team.
Note
====
As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
versions will be provided after that date. In the absence of significant
security issues being identified prior to that date, the 1.0.0t and 0.9.8zh
releases will be the last for those versions. Users of these versions are
advised to upgrade.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20151203.txt
Note: the online version of the advisory may be updated with additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
Changes since OpenSSH 6.9
=========================
This focus of this release is primarily to deprecate weak, legacy
and/or unsafe cryptography.
Security
--------
* sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-
writable. Local attackers may be able to write arbitrary messages
to logged-in users, including terminal escape sequences.
Reported by Nikolay Edigaryev.
* sshd(8): Portable OpenSSH only: Fixed a privilege separation
weakness related to PAM support. Attackers who could successfully
compromise the pre-authentication process for remote code
execution and who had valid credentials on the host could
impersonate other users. Reported by Moritz Jodeit.
* sshd(8): Portable OpenSSH only: Fixed a use-after-free bug
related to PAM support that was reachable by attackers who could
compromise the pre-authentication process for remote code
execution. Also reported by Moritz Jodeit.
* sshd(8): fix circumvention of MaxAuthTries using keyboard-
interactive authentication. By specifying a long, repeating
keyboard-interactive "devices" string, an attacker could request
the same authentication method be tried thousands of times in
a single pass. The LoginGraceTime timeout in sshd(8) and any
authentication failure delays implemented by the authentication
mechanism itself were still applied. Found by Kingcope.
Potentially-incompatible Changes
--------------------------------
* Support for the legacy SSH version 1 protocol is disabled by
default at compile time.
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
is disabled by default at run-time. It may be re-enabled using
the instructions at http://www.openssh.com/legacy.html
* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
by default at run-time. These may be re-enabled using the
instructions at http://www.openssh.com/legacy.html
* Support for the legacy v00 cert format has been removed.
* The default for the sshd_config(5) PermitRootLogin option has
changed from "yes" to "prohibit-password".
* PermitRootLogin=without-password/prohibit-password now bans all
interactive authentication methods, allowing only public-key,
hostbased and GSSAPI authentication (previously it permitted
keyboard-interactive and password-less authentication if those
were enabled).
New Features
------------
* ssh_config(5): add PubkeyAcceptedKeyTypes option to control which
public key types are available for user authentication.
* sshd_config(5): add HostKeyAlgorithms option to control which
public key types are offered for host authentications.
* ssh(1), sshd(8): extend Ciphers, MACs, KexAlgorithms,
HostKeyAlgorithms, PubkeyAcceptedKeyTypes and HostbasedKeyTypes
options to allow appending to the default set of algorithms
instead of replacing it. Options may now be prefixed with a '+'
to append to the default, e.g. "HostKeyAlgorithms=+ssh-dss".
* sshd_config(5): PermitRootLogin now accepts an argument of
'prohibit-password' as a less-ambiguous synonym of 'without-
password'.
Bugfixes
--------
* ssh(1), sshd(8): add compatability workarounds for Cisco and more
PuTTY versions. bz#2424
* Fix some omissions and errors in the PROTOCOL and PROTOCOL.mux
documentation relating to Unix domain socket forwarding;
bz#2421 bz#2422
* ssh(1): Improve the ssh(1) manual page to include a better
description of Unix domain socket forwarding; bz#2423
* ssh(1), ssh-agent(1): skip uninitialised PKCS#11 slots, fixing
failures to load keys when they are present. bz#2427
* ssh(1), ssh-agent(1): do not ignore PKCS#11 hosted keys that wth
empty CKA_ID; bz#2429
* sshd(8): clarify documentation for UseDNS option; bz#2045
the support in the rest of the source tree.
X11 sets could use some cleaning up perhaps (just deletion, as
we've never really marked the old X11R6 as obsolete for native
xorg using platforms so far either.)
*) Alternate chains certificate forgery
During certificate verfification, OpenSSL will attempt to find an
alternative certificate chain if the first attempt to build such a chain
fails. An error in the implementation of this logic can mean that an
attacker could cause certain checks on untrusted certificates to be
bypassed, such as the CA flag, enabling them to use a valid leaf
certificate to act as a CA and "issue" an invalid certificate.
This issue was reported to OpenSSL by Adam Langley/David Benjamin
(Google/BoringSSL).
[Matt Caswell]
=========================
This is primarily a bugfix release.
Security
--------
* ssh(1): when forwarding X11 connections with ForwardX11Trusted=no,
connections made after ForwardX11Timeout expired could be permitted
and no longer subject to XSECURITY restrictions because of an
ineffective timeout check in ssh(1) coupled with "fail open"
behaviour in the X11 server when clients attempted connections with
expired credentials. This problem was reported by Jann Horn.
* ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
password guessing by implementing an increasing failure delay,
storing a salted hash of the password rather than the password
itself and using a timing-safe comparison function for verifying
unlock attempts. This problem was reported by Ryan Castellucci.
New Features
------------
* ssh(1), sshd(8): promote chacha20-poly1305@openssh.com to be the
default cipher
* sshd(8): support admin-specified arguments to AuthorizedKeysCommand;
bz#2081
* sshd(8): add AuthorizedPrincipalsCommand that allows retrieving
authorized principals information from a subprocess rather than
a file.
* ssh(1), ssh-add(1): support PKCS#11 devices with external PIN
entry devices bz#2240
* sshd(8): allow GSSAPI host credential check to be relaxed for
multihomed hosts via GSSAPIStrictAcceptorCheck option; bz#928
* ssh-keygen(1): support "ssh-keygen -lF hostname" to search
known_hosts and print key hashes rather than full keys.
* ssh-agent(1): add -D flag to leave ssh-agent in foreground without
enabling debug mode; bz#2381
Bugfixes
--------
* ssh(1), sshd(8): deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD
message and do not try to use it against some 3rd-party SSH
implementations that use it (older PuTTY, WinSCP).
* Many fixes for problems caused by compile-time deactivation of
SSH1 support (including bz#2369)
* ssh(1), sshd(8): cap DH-GEX group size at 4Kbits for Cisco
implementations as some would fail when attempting to use group
sizes >4K; bz#2209
* ssh(1): fix out-of-bound read in EscapeChar configuration option
parsing; bz#2396
* sshd(8): fix application of PermitTunnel, LoginGraceTime,
AuthenticationMethods and StreamLocalBindMask options in Match
blocks
* ssh(1), sshd(8): improve disconnection message on TCP reset;
bz#2257
* ssh(1): remove failed remote forwards established by muliplexing
from the list of active forwards; bz#2363
* sshd(8): make parsing of authorized_keys "environment=" options
independent of PermitUserEnv being enabled; bz#2329
* sshd(8): fix post-auth crash with permitopen=none; bz#2355
* ssh(1), ssh-add(1), ssh-keygen(1): allow new-format private keys
to be encrypted with AEAD ciphers; bz#2366
* ssh(1): allow ListenAddress, Port and AddressFamily configuration
options to appear in any order; bz#86
* sshd(8): check for and reject missing arguments for VersionAddendum
and ForceCommand; bz#2281
* ssh(1), sshd(8): don't treat unknown certificate extensions as
fatal; bz#2387
* ssh-keygen(1): make stdout and stderr output consistent; bz#2325
* ssh(1): mention missing DISPLAY environment in debug log when X11
forwarding requested; bz#1682
* sshd(8): correctly record login when UseLogin is set; bz#378
* sshd(8): Add some missing options to sshd -T output and fix output
of VersionAddendum and HostCertificate. bz#2346
* Document and improve consistency of options that accept a "none"
argument" TrustedUserCAKeys, RevokedKeys (bz#2382),
AuthorizedPrincipalsFile (bz#2288)
* ssh(1): include remote username in debug output; bz#2368
* sshd(8): avoid compatibility problem with some versions of Tera
Term, which would crash when they received the hostkeys notification
message (hostkeys-00@openssh.com)
* sshd(8): mention ssh-keygen -E as useful when comparing legacy MD5
host key fingerprints; bz#2332
* ssh(1): clarify pseudo-terminal request behaviour and use make
manual language consistent; bz#1716
* ssh(1): document that the TERM environment variable is not subject
to SendEnv and AcceptEnv; bz#2386
*) Malformed ECParameters causes infinite loop
When processing an ECParameters structure OpenSSL enters an infinite loop
if the curve specified is over a specially malformed binary polynomial
field.
This can be used to perform denial of service against any
system which processes public keys, certificate requests or
certificates. This includes TLS clients and TLS servers with
client authentication enabled.
This issue was reported to OpenSSL by Joseph Barr-Pixton.
(CVE-2015-1788)
[Andy Polyakov]
*) Exploitable out-of-bounds read in X509_cmp_time
X509_cmp_time does not properly check the length of the ASN1_TIME
string and can read a few bytes out of bounds. In addition,
X509_cmp_time accepts an arbitrary number of fractional seconds in the
time string.
An attacker can use this to craft malformed certificates and CRLs of
various sizes and potentially cause a segmentation fault, resulting in
a DoS on applications that verify certificates or CRLs. TLS clients
that verify CRLs are affected. TLS clients and servers with client
authentication enabled may be affected if they use custom verification
callbacks.
This issue was reported to OpenSSL by Robert Swiecki (Google), and
independently by Hanno Böck.
(CVE-2015-1789)
[Emilia Käsper]
*) PKCS7 crash with missing EnvelopedContent
The PKCS#7 parsing code does not handle missing inner EncryptedContent
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
with missing content and trigger a NULL pointer dereference on parsing.
Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
structures from untrusted sources are affected. OpenSSL clients and
servers are not affected.
This issue was reported to OpenSSL by Michal Zalewski (Google).
(CVE-2015-1790)
[Emilia Käsper]
*) CMS verify infinite loop with unknown hash function
When verifying a signedData message the CMS code can enter an infinite loop
if presented with an unknown hash function OID. This can be used to perform
denial of service against any system which verifies signedData messages using
the CMS code.
This issue was reported to OpenSSL by Johannes Bauer.
(CVE-2015-1792)
[Stephen Henson]
*) Race condition handling NewSessionTicket
If a NewSessionTicket is received by a multi-threaded client when attempting to
reuse a previous ticket then a race condition can occur potentially leading to
a double free of the ticket data.
(CVE-2015-1791)
[Matt Caswell]
*) Reject DH handshakes with parameters shorter than 768 bits.
[Kurt Roeckx and Emilia Kasper]
christos