[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-13:14.openssh

Cstdenis cstdenis at ctgameinfo.com
Tue Nov 19 11:59:25 UTC 2013 

I think the file in workaround should actually be /etc/ssh/sshd_config 
unless I am mistaken.

On 11/19/2013 2:21 AM, FreeBSD Security Advisories wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> =============================================================================
> FreeBSD-SA-13:14.openssh                                    Security Advisory
>                                                            The FreeBSD Project
>
> Topic:          OpenSSH AES-GCM memory corruption vulnerability
>
> Category:       contrib
> Module:         openssh
> Announced:      2013-11-19
> Affects:        FreeBSD 10.0-BETA
> Corrected:      2013-11-19 09:35:20 UTC (stable/10, 10.0-STABLE)
>                  2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA3-p1)
>                  2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA2-p1)
>                  2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA1-p2)
> CVE Name:       CVE-2013-4548
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
>
> I.   Background
>
> OpenSSH is an implementation of the SSH protocol suite, providing an
> encrypted and authenticated transport for a variety of services,
> including remote shell access.
>
> AES-GCM (Galois/Counter Mode) is a mode of operation for AES block
> cipher that combines the counter mode of encryption with the Galois
> mode of authentication which can offer throughput rates for state of
> the art, high speed communication channels.
>
> OpenSSH supports the AES-GCM algorithm as specified in RFC 5647.
>
> II.  Problem Description
>
> A memory corruption vulnerability exists in the post-authentication sshd
> process when an AES-GCM cipher (aes128-gcm at openssh.com or
> aes256-gcm at openssh.com) is selected during key exchange.
>
> III. Impact
>
> If exploited, this vulnerability might permit code execution with the
> privileges of the authenticated user, thereby allowing a malicious
> user with valid credentials to bypass shell or command restrictions
> placed on their account.
>
> IV.  Workaround
>
> Disable AES-GCM in the server configuration. This can be accomplished by
> adding the following /etc/sshd_config option, which will disable AES-GCM
> while leaving other ciphers active:
>
> Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
>
> Systems not running the OpenSSH server daemon (sshd) are not affected.
>
> V.   Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
>
> 2) To update your vulnerable system via a source code patch:
>
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch http://security.FreeBSD.org/patches/SA-13:14/openssh.patch
> # fetch http://security.FreeBSD.org/patches/SA-13:14/openssh.patch.asc
> # gpg --verify openssh.patch.asc
>
> b) Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
>
> Recompile the operating system using buildworld and installworld as
> described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
>
> Restart the sshd daemon, or reboot the system.
>
> 3) To update your vulnerable system via a binary patch:
>
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
>
> VI.  Correction details
>
> The following list contains the correction revision numbers for each
> affected branch.
>
> Branch/path                                                      Revision
> - -------------------------------------------------------------------------
> stable/10/                                                        r258335
> - -------------------------------------------------------------------------
>
> To see which files were modified by a particular revision, run the
> following command, replacing NNNNNN with the revision number, on a
> machine with Subversion installed:
>
> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
>
> Or visit the following URL, replacing NNNNNN with the revision number:
>
> <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
>
> VII. References
>
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4548>
>
> The latest revision of this advisory is available at
> <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:14.openssh.asc>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.15 (FreeBSD)
>
> iQIcBAEBAgAGBQJSizUhAAoJEO1n7NZdz2rn6VcQALriII/5f2ipZQeOt41p5oBi
> r3qQ3uoZc705MGhld/Zz/RjmB8N+NSZUCZQP0sjaEUkksykZNQhmlbvJXB0ywDHP
> ggIpq++7r2igXMwqqj+7SEtOkQc/rP8/pDjAn0CJKDGIItgpYuqB34sEJNNuYjiM
> f/bdfXN3zU4VOiIjCjfGuOamGPXCyRdEAm9HKMVWuDqXIjBHdOxhkw2TnyrC77Vd
> IxOEYsD97XYuJF++55uHBMv+jynrlQfJF9s3+rQVGOqs14KXYJ+HeqFwxJkhIzyg
> BrxotPNcO6i5lFOiZrCcmEkf3SRh3Ok3CFFFdn9EhOTxrfGKRm/7R+WB0NKT4+ll
> sAWfhCCMHkhE/j/0L/DCGL8wD6zH1bzpFWn6efAlih4N5YXSJfGlZdkPw0zl/ZgD
> umYiwpr9PMnPtocfpV51HITNf0T+CUUHJ5bI3Do9cKZyr3yt869r2MNH6PLT0Lyl
> 4YTcN6IC1K+2JXxvjry7wuJWaPUDS/Hl7Rb3vivdyFJsOF6cddCq1uoU/COXjEE7
> KF2+KXNKyCZvfPYxzaljvQjEEGZFswN21YrG4dk3JbaOEo0/+s06DJe/YDhagRgQ
> h1DtzesRuV8Mlxf0kCX5dmMEjIYX0ZtsZT7aueoSD0zGDFpiOjMQ2DQ3O9S3UhFz
> ScAFXjtFwMqy8RkwNzIp
> =Nkc2
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-announce at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
> To unsubscribe, send any mail to "freebsd-announce-unsubscribe at freebsd.org"

More information about the freebsd-security mailing list