DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 464HEBMQ2368054 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=erGaXoWF X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 15FAA384A443 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1720113250; bh=Q0tkGdXLTeKm6rqcHTkWuVbY1W0QKmFHK6Kux8q5Vg4=; h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=erGaXoWFWGb8qLpJ0sXrprIY6mpxYOjWR6IWgxUtGb4quaibNJ8VF5e67o12eB4iz YAYDQWMWOnXmZo1U0Wt7mdaIF11aHQgwH252VbH9M4QS7Q4OyFevQz70vrkqV133bC Xx366kgRFH9aUqAQ69hjfXiYKUTsNiQ+bNuG5SXU= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 3940E386100D ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 3940E386100D ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1720113197; cv=none; b=F+qdv+1zRt5Rs9BuGCQeQ9LNwhvxRm/soltKcJMyD9C1P6aqcmsqL2Gih8herOEnNW0hFAfMz+omaMs7FfWVHGCTpQEtMFK42YXYB0yOb2IrmTxqOcLaXVJsMvVkQu/GNZFHr9ExIPlqikmOle96oXcsQwk3o9ZHvF/dg38sR/Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1720113197; c=relaxed/simple; bh=bhxGjvPok8uyfxuqCPQVP56j+k5XFxRFzCyw8yTrB3M=; h=Message-ID:Date:MIME-Version:Subject:To:From; b=mhlZM+f0diI6PogQjKGaHvZsEVj9lbM0X3EAmQ4qPifbmqpZsm5bPy2pc3AoNrdnrUAUVIotfYZcZ7c88bKNdWAGeVred/buU3gWBew8M41BhT/ZROaWtJvGCkrbNoCPoEsblQO/Fe8ZU0P7uDh6UzGhCy0DKJMLbkXM2s1Y4vM= ARC-Authentication-Results: i=1; server2.sourceware.org Message-ID: <775074a0-2bc8-44f1-b0d3-3f264301dc1f@SystematicSW.ab.ca> Date: Thu, 4 Jul 2024 11:13:12 -0600 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: ssh server vulnerable to regreSSHion? To: cygwin AT cygwin DOT com References: Content-Language: en-CA Organization: Systematic Software In-Reply-To: X-Rspamd-Queue-Id: 53A872002A X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_INFOUSMEBIZ, KAM_SHORT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_PASS, SPF_PASS, TXREP, UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.6 X-Rspamd-Server: rspamout02 X-Stat-Signature: z3yfkxe6ys13k6mko51z1gspftgx4wmi X-Session-Marker: 427269616E2E496E676C69734053797374656D6174696353572E61622E6361 X-Session-ID: U2FsdGVkX1+Vogq3FFI2mRh2AM+ThVYlLKFq8XS6hpE= X-HE-Tag: 1720113193-726145 X-HE-Meta: U2FsdGVkX1/XtgDzK90sokQASz6Ar0vVpGUPO6W072V5m661D+2AIFQQbF06qGt6ge+xQgs/RAJ0g3xGwmHPa+jYZPqNb3syGAFBD+ig9Nu9lNsFp6tt2rMhvnM6jX82zzJ39LRj3oSguJEv2IIea4GsKEVHs+1OklFY43vscbq/XBt7KfoOjG1npDc7+9oECAVnCsf+7Q3w4b7jBwHgEQBH35YAFpCJgB9bqnSrqiwvOpbvJyZ2rio9P4luCGvROpWKnxtFwY9e8hSFacztgn7UFelAlQGttAXB4DlesxnwZSSWpdAkJWmrG2pfl3lilck47F/6VnrvAjTNC9qjOibW/Ji8aHRdZRoEElgA0iQ8XyZh4w6BBWxohS1Rpp9lqx5YkPpFyZA5JrCaDD0Lz9+vbPEXPFoQHLSVpq7VnRUY65cJODtyp2DaOgMoYC8sP51SLdV3T3yewSewzuHGztzegwj1kcoZDPlCvQv55i5vFO9TybOgc2IsX9cnPAzcPCQ99tUxmpxXXlRcwm/JSdM4KNslprqNqVN4e7CbVFx0gn10HKHQzLlo2BO3Jm57FVaZ595HBirITh+K62VYhL1vtginjXvMBCPtnzaX5cl29zqm+eJY9MuMdatTNxYAUYvl+jRNTyof4RbJ30CX6I41NXd0DpGO7yJetGBi0W2guP4tnd1UgzorMMuyOM35 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Brian Inglis via Cygwin Reply-To: cygwin AT cygwin DOT com Cc: Brian Inglis Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com Sender: "Cygwin" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 464HEBMQ2368054 On 2024-07-04 09:31, Tom Kent via Cygwin wrote: > For anyone not aware, a major, remotely exploitable, vulnerability has been > found in OpenSSH servers. > > It has been assigned CVE-2024-6387 [1] and titled "regreSSHion" [2] because > it is actually a regression of a pair of early 2000s bugs: > CVE-2006-5051 and CVE-2008-4109. > > The vulnerability is a race condition related to its interaction with > glibc. Because of the way cygwin is built, it isn't clear to me if this is > something that could possibly be impacting or not, thus I wanted to see if > smarter heads could identify if this is a potential (or actual) issue. > > Either way, it might be nice to get a determination posted somewhere for > people to find, as I expect there will be more out there wondering about > this in the next days/weeks. If you subscribed to Cygwin Announce mailing list https://cygwin.com/mailman/listinfo/cygwin-announce https://inbox.sourceware.org/cygwin-announce/ you would have seen the openssh 9.8p1-1 upgrade announcement https://cygwin.com/pipermail/cygwin-announce/2024-July/011846.html https://inbox.sourceware.org/cygwin-announce/20240702194232 DOT 2039121-1-corinna-cygwin AT cygwin DOT com which should take care of any potential issues whether vulnerable or not. The Cygwin OpenSSH maintainer was also involved in pre-release testing: https://marc.info/?l=openssh-unix-dev&m=171956630724852&w=2 validated the release, and caught an out-of-tree build test bug, so they are taking care on Cygwin, as Cygwin developers and package maintainers are likely to be dependent on OpenSSH servers and clients. The regression issues are dependent on how certain libc functions are implemented and used, in Cygwin's case by newlib and/or Cygwin functions. Other newlib and other libc, like musl, hosted implementations may have similar or independent issues. Certainly Ubuntu and Debian (both 32 bit) have similar issues with significant differences. As the OpenSSH announcement included above says: "Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time." It requires weak ALSR applied to sshd and async-signal-unsafe syslog() calling malloc() allowing it to be be vulnerable to a race condition exploitable by SIGALARM, for the demonstrated vulnerability. The ObscureKeystrokeTiming password timing attack is assigned as: https://www.cve.org/CVERecord?id=CVE-2024-39894 > [1] https://www.cve.org/CVERecord?id=CVE-2024-6387 > [2] > https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server -- Take care. Thanks, Brian Inglis Calgary, Alberta, Canada La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut -- Antoine de Saint-Exupéry -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple