Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport the security patch of CVE-2024-39894 #1401

Closed

Conversation

Crispy-fried-chicken
Copy link

Hi,
we find the recurring vulnerability which shares the similarity of CVE-2024-39894 in you project with the version of release/14.0.0 and release/13.3.0. The patch of this CVE is openssh/openssh-portable@146c420 and we find that you've already fix it in the main branch, which is the commit b81424a. Is there a need to backport it?

Cherry-pick fix:
upstream: when sending ObscureKeystrokeTiming chaff packets, we
can't rely on channel_did_enqueue to tell that there is data to send. This
flag indicates that the channels code enqueued a packet on _this_ ppoll()
iteration, not that data was enqueued in _any_ ppoll() iteration in the
timeslice. ok markus@

OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136

Obtained from:	openssh-portable 146c420d29d0
Reviewed by:	gordon
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45823
@jlduran
Copy link
Member

jlduran commented Sep 2, 2024

It's already in stable/14, and in stable/13. Patches to releng branches must go through the Security Officer.

@Crispy-fried-chicken
Copy link
Author

It's already in stable/14, and in stable/13. Patches to releng branches must go through the Security Officer.

So how can I do? or there is no need to backport?

@jlduran
Copy link
Member

jlduran commented Sep 3, 2024

I can answer the easy part:

This pull request cannot be accepted as is. If you consider that this bug1 should have received a Security Advisory, then you should follow this procedure: https://www.freebsd.org/security/.

Footnotes

  1. Logic error in ssh(1) ObscureKeystrokeTiming

    In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an OpenSSH server version 9.5 or later, a logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective - a passive observer could still detect which network packets contained real keystrokes when the countermeasure was active because both fake and real keystroke packets were being sent unconditionally.

    This bug was found by Philippos Giavridis and also independently by Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the University of Cambridge Computer Lab.

    Worse, the unconditional sending of both fake and real keystroke packets broke another long-standing timing attack mitigation. Since OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for traffic received on TTYs in echo-off mode, such as when entering a password into su(8) or sudo(8). This bug rendered these fake keystroke echoes ineffective and could allow a passive observer of a SSH session to once again detect when echo was off and obtain fairly limited timing information about keystrokes in this situation (20ms granularity by default).

    This additional implication of the bug was identified by Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford and we thank them for their detailed analysis.

    This bug does not affect connections when ObscureKeystrokeTiming was disabled or sessions where no TTY was requested.

@bsdimp
Copy link
Member

bsdimp commented Oct 4, 2024

This is in all stable branches, and secteam didn't think we needed a SA for this for 14.0 (which is almost out of support)

@bsdimp bsdimp closed this Oct 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants