Errata ALT-PU-2024-4467-2: Information
Package name: openssh-gostcrypto
Version: 7.9p1-alt4.gost.p10.1
Bulletin updated: March 28, 2024
Task: #342830
Fixes
Published: Jan. 15, 2019
BDU:2019-00830
Уязвимость реализаций утилиты для удаленного копирования файлов scp, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю манипулировать файлами в каталоге клиента
Severity: MEDIUM (5.9) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Links:
Published: Jan. 15, 2019
BDU:2019-00832
Уязвимость реализаций утилиты для удаленного копирования файлов scp, связанная с недостатками контроля доступа, позволяющая нарушителю скрывать имя передаваемого файла
Severity: MEDIUM (6.8) Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Links:
Published: Jan. 14, 2019
BDU:2019-03788
Уязвимость средства криптографической защиты OpenSSH, вызваная ошибками при проверке имени каталога scp.c в клиенте scp, позволяющая нарушителю изменить права доступа к целевому каталогу
Severity: MEDIUM (5.9) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Links:
Published: Jan. 14, 2019
BDU:2019-03791
Уязвимость функции refresh_progress_meter() (progressmeter.c) средства криптографической защиты OpenSSH, позволяющая нарушителю раскрыть защищаемую информацию или выполнить произвольный код
Severity: MEDIUM (6.8) Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Links:
Published: July 19, 2023
BDU:2023-03950
Уязвимость функции PKCS#11 компонента ssh-agent средства криптографической защиты OpenSSH, позволяющая нарушителю выполнить произвольный код
Severity: CRITICAL (9.8) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Dec. 18, 2023
BDU:2023-08853
Уязвимость реализации протокола SSH, связанная с возможностью откорректировать порядковые номера пакетов в процессе согласования соединения и добиться удаления произвольного числа служебных SSH-сообщений, позволяющая нарушителю обойти проверки целостности, отключить существующие функции безопасности, получить несанкционированный доступ к защищаемой информации
Severity: HIGH (7.4) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Links:
Published: Jan. 31, 2019
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2019-6109
An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.
Severity: MEDIUM (6.8) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Links:
- https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
- https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c
- https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c
- USN-3885-1
- DSA-4387
- https://security.netapp.com/advisory/ntap-20190213-0001/
- GLSA-201903-16
- [debian-lts-announce] 20190325 [SECURITY] [DLA 1728-1] openssh security update
- openSUSE-SU-2019:1602
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- RHSA-2019:3702
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- FEDORA-2019-0f4190cdb0
Published: Jan. 31, 2019
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2019-6111
An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).
Severity: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Links:
- https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
- https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c
- 46193
- 106741
- USN-3885-1
- DSA-4387
- https://security.netapp.com/advisory/ntap-20190213-0001/
- https://bugzilla.redhat.com/show_bug.cgi?id=1677794
- USN-3885-2
- GLSA-201903-16
- [debian-lts-announce] 20190325 [SECURITY] [DLA 1728-1] openssh security update
- [oss-security] 20190417 Announce: OpenSSH 8.0 released
- openSUSE-SU-2019:1602
- FreeBSD-EN-19:10
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- RHSA-2019:3702
- [oss-security] 20220802 CVE-2022-29154: Rsync client-side arbitrary file write vulnerability.
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- FEDORA-2019-0f4190cdb0
- [mina-dev] 20190620 [jira] [Created] (SSHD-925) See if SCP vulnerability CVE-2019-6111 applies and mitigate it if so
- [mina-dev] 20190623 [jira] [Comment Edited] (SSHD-925) See if SCP vulnerability CVE-2019-6111 applies and mitigate it if so
- [mina-dev] 20190623 [jira] [Commented] (SSHD-925) See if SCP vulnerability CVE-2019-6111 applies and mitigate it if so
- [mina-dev] 20190820 [jira] [Resolved] (SSHD-925) See if SCP vulnerability CVE-2019-6111 applies and mitigate it if so
Published: July 20, 2023
Modified: April 4, 2024
Modified: April 4, 2024
CVE-2023-38408
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
- https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8
- https://www.openssh.com/txt/release-9.3p2
- https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
- https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent
- https://news.ycombinator.com/item?id=36790196
- https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca
- https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d
- https://www.openssh.com/security.html
- GLSA-202307-01
- [oss-security] 20230719 Re: CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent
- [oss-security] 20230720 Re: Announce: OpenSSH 9.3p2 released
- http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html
- https://security.netapp.com/advisory/ntap-20230803-0010/
- [debian-lts-announce] 20230817 [SECURITY] [DLA 3532-1] openssh security update
- [oss-security] 20230922 Re: illumos (or at least danmcd) membership in the distros list
- [oss-security] 20230922 Re: illumos (or at least danmcd) membership in the distros list
- FEDORA-2023-878e04f4ae
- FEDORA-2023-79a18e1725
- https://support.apple.com/kb/HT213940
- https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408
Published: Dec. 18, 2023
Modified: May 1, 2024
Modified: May 1, 2024
CVE-2023-48795
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.
Severity: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Links:
- https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
- https://matt.ucc.asn.au/dropbear/CHANGES
- https://www.openssh.com/openbsd.html
- https://github.com/openssh/openssh-portable/commits/master
- https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ
- https://www.bitvise.com/ssh-server-version-history
- https://github.com/ronf/asyncssh/tags
- https://gitlab.com/libssh/libssh-mirror/-/tags
- https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/
- https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42
- https://www.openssh.com/txt/release-9.6
- https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/
- https://www.terrapin-attack.com
- https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25
- https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst
- https://thorntech.com/cve-2023-48795-and-sftp-gateway/
- https://github.com/warp-tech/russh/releases/tag/v0.40.2
- https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0
- https://www.openwall.com/lists/oss-security/2023/12/18/2
- https://twitter.com/TrueSkrillor/status/1736774389725565005
- https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d
- https://github.com/paramiko/paramiko/issues/2337
- https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg
- https://news.ycombinator.com/item?id=38684904
- https://news.ycombinator.com/item?id=38685286
- [oss-security] 20231218 CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)
- https://github.com/mwiede/jsch/issues/457
- https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6
- https://github.com/erlang/otp/releases/tag/OTP-26.2.1
- https://github.com/advisories/GHSA-45x7-px36-x8w8
- https://security-tracker.debian.org/tracker/source-package/libssh2
- https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg
- https://security-tracker.debian.org/tracker/CVE-2023-48795
- https://bugzilla.suse.com/show_bug.cgi?id=1217950
- https://bugzilla.redhat.com/show_bug.cgi?id=2254210
- https://bugs.gentoo.org/920280
- https://ubuntu.com/security/CVE-2023-48795
- https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/
- https://access.redhat.com/security/cve/cve-2023-48795
- https://github.com/mwiede/jsch/pull/461
- https://github.com/drakkan/sftpgo/releases/tag/v2.5.6
- https://github.com/libssh2/libssh2/pull/1291
- https://forum.netgate.com/topic/184941/terrapin-ssh-attack
- https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5
- https://github.com/rapier1/hpn-ssh/releases
- https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES
- https://www.netsarang.com/en/xshell-update-history/
- https://www.paramiko.org/changelog.html
- https://github.com/proftpd/proftpd/issues/456
- https://github.com/TeraTermProject/teraterm/releases/tag/v5.1
- https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15
- https://oryx-embedded.com/download/#changelog
- https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
- https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22
- https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab
- https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3
- https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC
- https://crates.io/crates/thrussh/versions
- https://github.com/NixOS/nixpkgs/pull/275249
- [oss-security] 20231219 Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)
- https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc
- https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/
- [oss-security] 20231220 Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)
- https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES
- https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES
- https://github.com/apache/mina-sshd/issues/445
- https://github.com/hierynomus/sshj/issues/916
- https://github.com/janmojzis/tinyssh/issues/81
- https://www.openwall.com/lists/oss-security/2023/12/20/3
- https://security-tracker.debian.org/tracker/source-package/trilead-ssh2
- https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16
- http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html
- FEDORA-2023-0733306be9
- DSA-5586
- https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508
- https://www.theregister.com/2023/12/20/terrapin_attack_ssh
- https://filezilla-project.org/versions.php
- https://nova.app/releases/#v11.8
- https://roumenpetrov.info/secsh/#news20231220
- https://www.vandyke.com/products/securecrt/history.txt
- https://help.panic.com/releasenotes/transmit5/
- https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta
- https://github.com/PowerShell/Win32-OpenSSH/issues/2189
- https://winscp.net/eng/docs/history#6.2.2
- https://www.bitvise.com/ssh-client-version-history#933
- https://github.com/cyd01/KiTTY/issues/520
- DSA-5588
- https://github.com/ssh-mitm/ssh-mitm/issues/165
- https://news.ycombinator.com/item?id=38732005
- [debian-lts-announce] 20231226 [SECURITY] [DLA 3694-1] openssh security update
- GLSA-202312-16
- GLSA-202312-17
- FEDORA-2023-20feb865d8
- FEDORA-2023-cb8c606fbb
- FEDORA-2023-e77300e4b5
- FEDORA-2023-b87ec6cf47
- FEDORA-2023-153404713b
- https://security.netapp.com/advisory/ntap-20240105-0004/
- FEDORA-2024-3bb23c77f3
- FEDORA-2023-55800423a8
- FEDORA-2024-d946b9ad25
- FEDORA-2024-71c2c6526c
- FEDORA-2024-39a8c72ea9
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002
- FEDORA-2024-ae653fb07b
- FEDORA-2024-2705241461
- FEDORA-2024-fb32950d11
- FEDORA-2024-7b08207cdb
- FEDORA-2024-06ebb70bdd
- [debian-lts-announce] 20240125 [SECURITY] [DLA 3718-1] php-phpseclib security update
- [debian-lts-announce] 20240125 [SECURITY] [DLA 3719-1] phpseclib security update
- FEDORA-2024-a53b24023d
- FEDORA-2024-3fd1bc9276
- https://support.apple.com/kb/HT214084
- 20240313 APPLE-SA-03-07-2024-2 macOS Sonoma 14.4
- [debian-lts-announce] 20240425 [SECURITY] [DLA 3794-1] putty security update
- [oss-security] 20240417 Terrapin vulnerability in Jenkins CLI client
- [oss-security] 20240306 Multiple vulnerabilities in Jenkins plugins