1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
Damien Miller djm at mindrot.org
Mon Jul 1 18:21:11 AEST 2024
Previous message (by thread): Announce: OpenSSH 9.8 released
Next message (by thread): Announce: OpenSSH 9.8 released
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
Regarding the race condition fixed in OpenSSH 9.8. A mitigation to
prevent exploitation of this bug is to disable the login grace timer
by setting LoginGraceTime=0 in sshd_config. This will however make
it much easier for an attacker to deny service to sshd.
Similarly, the much more minor keystroke timing bug can be avoided
by disabling the feature using ObscureKeystrokeTiming=0.
Some users will understandably prefer to patch their OpenSSH rather
than upgrade to the newest version, so here are minimal patches for
both problems.
1) Critical race condition in sshd
2) Minor logic error in ObscureKeystrokeTiming
--- log.c.orig 2024-07-02 09:05:35.023051000 -0700
+++ log.c 2024-07-02 09:05:54.881067000 -0700
@@ -451,12 +451,14 @@ sshsigdie(const char *file, const char *func, int line
sshsigdie(const char *file, const char *func, int line, int showfunc,
LogLevel level, const char *suffix, const char *fmt, ...)
{
+#ifdef SYSLOG_R_SAFE_IN_SIGHAND
va_list args;
va_start(args, fmt);
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
suffix, fmt, args);
va_end(args);
+#endif
_exit(1);
}
--- clientloop.c.orig 2024-07-02 09:06:09.736347000 -0700
+++ clientloop.c 2024-07-02 09:06:41.414979000 -0700
@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct tim
if (timespeccmp(&now, &chaff_until, >=)) {
/* Stop if there have been no keystrokes for a while */
stop_reason = "chaff time expired";
- } else if (timespeccmp(&now, &next_interval, >=)) {
- /* Otherwise if we were due to send, then send chaff */
+ } else if (timespeccmp(&now, &next_interval, >=) &&
+ !ssh_packet_have_data_to_write(ssh)) {
+ /* If due to send but have no data, then send chaff */
if (send_chaff(ssh))
nchaff++;
}
|
