DKIM-Filter:	OpenDKIM Filter v2.11.0 delorie.com 464HEBMQ2368054
Authentication-Results:	delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=erGaXoWF
X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 15FAA384A443
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1720113250;
	bh=Q0tkGdXLTeKm6rqcHTkWuVbY1W0QKmFHK6Kux8q5Vg4=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	From;
	b=erGaXoWFWGb8qLpJ0sXrprIY6mpxYOjWR6IWgxUtGb4quaibNJ8VF5e67o12eB4iz
	YAYDQWMWOnXmZo1U0Wt7mdaIF11aHQgwH252VbH9M4QS7Q4OyFevQz70vrkqV133bC
	Xx366kgRFH9aUqAQ69hjfXiYKUTsNiQ+bNuG5SXU=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 3940E386100D
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org 3940E386100D
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1720113197; cv=none;
	b=F+qdv+1zRt5Rs9BuGCQeQ9LNwhvxRm/soltKcJMyD9C1P6aqcmsqL2Gih8herOEnNW0hFAfMz+omaMs7FfWVHGCTpQEtMFK42YXYB0yOb2IrmTxqOcLaXVJsMvVkQu/GNZFHr9ExIPlqikmOle96oXcsQwk3o9ZHvF/dg38sR/Q=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1720113197; c=relaxed/simple;
	bh=bhxGjvPok8uyfxuqCPQVP56j+k5XFxRFzCyw8yTrB3M=;
	h=Message-ID:Date:MIME-Version:Subject:To:From;
	b=mhlZM+f0diI6PogQjKGaHvZsEVj9lbM0X3EAmQ4qPifbmqpZsm5bPy2pc3AoNrdnrUAUVIotfYZcZ7c88bKNdWAGeVred/buU3gWBew8M41BhT/ZROaWtJvGCkrbNoCPoEsblQO/Fe8ZU0P7uDh6UzGhCy0DKJMLbkXM2s1Y4vM=
ARC-Authentication-Results:	i=1; server2.sourceware.org
Message-ID:	<775074a0-2bc8-44f1-b0d3-3f264301dc1f@SystematicSW.ab.ca>
Date:	Thu, 4 Jul 2024 11:13:12 -0600
MIME-Version:	1.0
User-Agent:	Mozilla Thunderbird
Subject:	Re: ssh server vulnerable to regreSSHion?
To:	cygwin AT cygwin DOT com
References:	<CAArKS8g3yCa3ZEmopMiZCFvOuZww-k=StUWRU0vLeyV9t4pE7g AT mail DOT gmail DOT com>
Organization:	Systematic Software
In-Reply-To:	<CAArKS8g3yCa3ZEmopMiZCFvOuZww-k=StUWRU0vLeyV9t4pE7g@mail.gmail.com>
X-Rspamd-Queue-Id:	53A872002A
X-Spam-Status:	No, score=-1.5 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS,
	KAM_INFOUSMEBIZ, KAM_SHORT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL, SPF_HELO_PASS, SPF_PASS, TXREP,
	UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.6
X-Rspamd-Server:	rspamout02
X-Stat-Signature:	z3yfkxe6ys13k6mko51z1gspftgx4wmi
X-Session-Marker:	427269616E2E496E676C69734053797374656D6174696353572E61622E6361
X-Session-ID:	U2FsdGVkX1+Vogq3FFI2mRh2AM+ThVYlLKFq8XS6hpE=
X-HE-Tag:	1720113193-726145
X-HE-Meta:	U2FsdGVkX1/XtgDzK90sokQASz6Ar0vVpGUPO6W072V5m661D+2AIFQQbF06qGt6ge+xQgs/RAJ0g3xGwmHPa+jYZPqNb3syGAFBD+ig9Nu9lNsFp6tt2rMhvnM6jX82zzJ39LRj3oSguJEv2IIea4GsKEVHs+1OklFY43vscbq/XBt7KfoOjG1npDc7+9oECAVnCsf+7Q3w4b7jBwHgEQBH35YAFpCJgB9bqnSrqiwvOpbvJyZ2rio9P4luCGvROpWKnxtFwY9e8hSFacztgn7UFelAlQGttAXB4DlesxnwZSSWpdAkJWmrG2pfl3lilck47F/6VnrvAjTNC9qjOibW/Ji8aHRdZRoEElgA0iQ8XyZh4w6BBWxohS1Rpp9lqx5YkPpFyZA5JrCaDD0Lz9+vbPEXPFoQHLSVpq7VnRUY65cJODtyp2DaOgMoYC8sP51SLdV3T3yewSewzuHGztzegwj1kcoZDPlCvQv55i5vFO9TybOgc2IsX9cnPAzcPCQ99tUxmpxXXlRcwm/JSdM4KNslprqNqVN4e7CbVFx0gn10HKHQzLlo2BO3Jm57FVaZ595HBirITh+K62VYhL1vtginjXvMBCPtnzaX5cl29zqm+eJY9MuMdatTNxYAUYvl+jRNTyof4RbJ30CX6I41NXd0DpGO7yJetGBi0W2guP4tnd1UgzorMMuyOM35
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<https://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Brian Inglis via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	cygwin AT cygwin DOT com
Cc:	Brian Inglis <Brian DOT Inglis AT SystematicSW DOT ab DOT ca>
Errors-To:	cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 464HEBMQ2368054

On 2024-07-04 09:31, Tom Kent via Cygwin wrote:
> For anyone not aware, a major, remotely exploitable, vulnerability has been
> found in OpenSSH servers.
> 
> It has been assigned CVE-2024-6387 [1] and titled "regreSSHion" [2] because
> it is actually a regression of a pair of early 2000s bugs:
> CVE-2006-5051 and CVE-2008-4109.
> 
> The vulnerability is a race condition related to its interaction with
> glibc. Because of the way cygwin is built, it isn't clear to me if this is
> something that could possibly be impacting or not, thus I wanted to see if
> smarter heads could identify if this is a potential (or actual) issue.
> 
> Either way, it might be nice to get a determination posted somewhere for
> people to find, as I expect there will be more out there wondering about
> this in the next days/weeks.

If you subscribed to Cygwin Announce mailing list

	https://cygwin.com/mailman/listinfo/cygwin-announce

	https://inbox.sourceware.org/cygwin-announce/

you would have seen the openssh 9.8p1-1 upgrade announcement

	https://cygwin.com/pipermail/cygwin-announce/2024-July/011846.html

https://inbox.sourceware.org/cygwin-announce/20240702194232 DOT 2039121-1-corinna-cygwin AT cygwin DOT com

which should take care of any potential issues whether vulnerable or not.

The Cygwin OpenSSH maintainer was also involved in pre-release testing:

	https://marc.info/?l=openssh-unix-dev&m=171956630724852&w=2

validated the release, and caught an out-of-tree build test bug, so they are 
taking care on Cygwin, as Cygwin developers and package maintainers are likely 
to be dependent on OpenSSH servers and clients.

The regression issues are dependent on how certain libc functions are 
implemented and used, in Cygwin's case by newlib and/or Cygwin functions.
Other newlib and other libc, like musl, hosted implementations may have similar 
or independent issues.
Certainly Ubuntu and Debian (both 32 bit) have similar issues with significant 
differences.
As the OpenSSH announcement included above says:
"Exploitation on 64-bit systems is believed to be possible but has not been 
demonstrated at this time."
It requires weak ALSR applied to sshd and async-signal-unsafe syslog() calling 
malloc() allowing it to be be vulnerable to a race condition exploitable by 
SIGALARM, for the demonstrated vulnerability.

The ObscureKeystrokeTiming password timing attack is assigned as:

	https://www.cve.org/CVERecord?id=CVE-2024-39894

> [1] https://www.cve.org/CVERecord?id=CVE-2024-6387
> [2]
> https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -