DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 464HEBMQ2368054
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=erGaXoWF
X-Recipient: archive-cygwin@delorie.com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 15FAA384A443
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1720113250;
	bh=Q0tkGdXLTeKm6rqcHTkWuVbY1W0QKmFHK6Kux8q5Vg4=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=erGaXoWFWGb8qLpJ0sXrprIY6mpxYOjWR6IWgxUtGb4quaibNJ8VF5e67o12eB4iz
	 YAYDQWMWOnXmZo1U0Wt7mdaIF11aHQgwH252VbH9M4QS7Q4OyFevQz70vrkqV133bC
	 Xx366kgRFH9aUqAQ69hjfXiYKUTsNiQ+bNuG5SXU=
X-Original-To: cygwin@cygwin.com
Delivered-To: cygwin@cygwin.com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 3940E386100D
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 3940E386100D
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1720113197; cv=none;
 b=F+qdv+1zRt5Rs9BuGCQeQ9LNwhvxRm/soltKcJMyD9C1P6aqcmsqL2Gih8herOEnNW0hFAfMz+omaMs7FfWVHGCTpQEtMFK42YXYB0yOb2IrmTxqOcLaXVJsMvVkQu/GNZFHr9ExIPlqikmOle96oXcsQwk3o9ZHvF/dg38sR/Q=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1720113197; c=relaxed/simple;
 bh=bhxGjvPok8uyfxuqCPQVP56j+k5XFxRFzCyw8yTrB3M=;
 h=Message-ID:Date:MIME-Version:Subject:To:From;
 b=mhlZM+f0diI6PogQjKGaHvZsEVj9lbM0X3EAmQ4qPifbmqpZsm5bPy2pc3AoNrdnrUAUVIotfYZcZ7c88bKNdWAGeVred/buU3gWBew8M41BhT/ZROaWtJvGCkrbNoCPoEsblQO/Fe8ZU0P7uDh6UzGhCy0DKJMLbkXM2s1Y4vM=
ARC-Authentication-Results: i=1; server2.sourceware.org
Message-ID: <775074a0-2bc8-44f1-b0d3-3f264301dc1f@SystematicSW.ab.ca>
Date: Thu, 4 Jul 2024 11:13:12 -0600
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: ssh server vulnerable to regreSSHion?
To: cygwin@cygwin.com
References: <CAArKS8g3yCa3ZEmopMiZCFvOuZww-k=StUWRU0vLeyV9t4pE7g@mail.gmail.com>
Content-Language: en-CA
Organization: Systematic Software
In-Reply-To: <CAArKS8g3yCa3ZEmopMiZCFvOuZww-k=StUWRU0vLeyV9t4pE7g@mail.gmail.com>
X-Rspamd-Queue-Id: 53A872002A
X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS,
 KAM_INFOUSMEBIZ, KAM_SHORT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,
 RCVD_IN_MSPIKE_WL, SPF_HELO_PASS, SPF_PASS, TXREP,
 UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.6
X-Rspamd-Server: rspamout02
X-Stat-Signature: z3yfkxe6ys13k6mko51z1gspftgx4wmi
X-Session-Marker: 427269616E2E496E676C69734053797374656D6174696353572E61622E6361
X-Session-ID: U2FsdGVkX1+Vogq3FFI2mRh2AM+ThVYlLKFq8XS6hpE=
X-HE-Tag: 1720113193-726145
X-HE-Meta: U2FsdGVkX1/XtgDzK90sokQASz6Ar0vVpGUPO6W072V5m661D+2AIFQQbF06qGt6ge+xQgs/RAJ0g3xGwmHPa+jYZPqNb3syGAFBD+ig9Nu9lNsFp6tt2rMhvnM6jX82zzJ39LRj3oSguJEv2IIea4GsKEVHs+1OklFY43vscbq/XBt7KfoOjG1npDc7+9oECAVnCsf+7Q3w4b7jBwHgEQBH35YAFpCJgB9bqnSrqiwvOpbvJyZ2rio9P4luCGvROpWKnxtFwY9e8hSFacztgn7UFelAlQGttAXB4DlesxnwZSSWpdAkJWmrG2pfl3lilck47F/6VnrvAjTNC9qjOibW/Ji8aHRdZRoEElgA0iQ8XyZh4w6BBWxohS1Rpp9lqx5YkPpFyZA5JrCaDD0Lz9+vbPEXPFoQHLSVpq7VnRUY65cJODtyp2DaOgMoYC8sP51SLdV3T3yewSewzuHGztzegwj1kcoZDPlCvQv55i5vFO9TybOgc2IsX9cnPAzcPCQ99tUxmpxXXlRcwm/JSdM4KNslprqNqVN4e7CbVFx0gn10HKHQzLlo2BO3Jm57FVaZ595HBirITh+K62VYhL1vtginjXvMBCPtnzaX5cl29zqm+eJY9MuMdatTNxYAUYvl+jRNTyof4RbJ30CX6I41NXd0DpGO7yJetGBi0W2guP4tnd1UgzorMMuyOM35
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: cygwin@cygwin.com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-request@cygwin.com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=subscribe>
From: Brian Inglis via Cygwin <cygwin@cygwin.com>
Reply-To: cygwin@cygwin.com
Cc: Brian Inglis <Brian.Inglis@SystematicSW.ab.ca>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: cygwin-bounces~archive-cygwin=delorie.com@cygwin.com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie.com@cygwin.com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 464HEBMQ2368054

On 2024-07-04 09:31, Tom Kent via Cygwin wrote:
> For anyone not aware, a major, remotely exploitable, vulnerability has been
> found in OpenSSH servers.
> 
> It has been assigned CVE-2024-6387 [1] and titled "regreSSHion" [2] because
> it is actually a regression of a pair of early 2000s bugs:
> CVE-2006-5051 and CVE-2008-4109.
> 
> The vulnerability is a race condition related to its interaction with
> glibc. Because of the way cygwin is built, it isn't clear to me if this is
> something that could possibly be impacting or not, thus I wanted to see if
> smarter heads could identify if this is a potential (or actual) issue.
> 
> Either way, it might be nice to get a determination posted somewhere for
> people to find, as I expect there will be more out there wondering about
> this in the next days/weeks.

If you subscribed to Cygwin Announce mailing list

	https://cygwin.com/mailman/listinfo/cygwin-announce

	https://inbox.sourceware.org/cygwin-announce/

you would have seen the openssh 9.8p1-1 upgrade announcement

	https://cygwin.com/pipermail/cygwin-announce/2024-July/011846.html

https://inbox.sourceware.org/cygwin-announce/20240702194232.2039121-1-corinna-cygwin@cygwin.com

which should take care of any potential issues whether vulnerable or not.

The Cygwin OpenSSH maintainer was also involved in pre-release testing:

	https://marc.info/?l=openssh-unix-dev&m=171956630724852&w=2

validated the release, and caught an out-of-tree build test bug, so they are 
taking care on Cygwin, as Cygwin developers and package maintainers are likely 
to be dependent on OpenSSH servers and clients.

The regression issues are dependent on how certain libc functions are 
implemented and used, in Cygwin's case by newlib and/or Cygwin functions.
Other newlib and other libc, like musl, hosted implementations may have similar 
or independent issues.
Certainly Ubuntu and Debian (both 32 bit) have similar issues with significant 
differences.
As the OpenSSH announcement included above says:
"Exploitation on 64-bit systems is believed to be possible but has not been 
demonstrated at this time."
It requires weak ALSR applied to sshd and async-signal-unsafe syslog() calling 
malloc() allowing it to be be vulnerable to a race condition exploitable by 
SIGALARM, for the demonstrated vulnerability.

The ObscureKeystrokeTiming password timing attack is assigned as:

	https://www.cve.org/CVERecord?id=CVE-2024-39894

> [1] https://www.cve.org/CVERecord?id=CVE-2024-6387
> [2]
> https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple