Bug 1217028 (CVE-2023-46445)

Summary: VUL-0: CVE-2023-46445: python-asyncssh: extension negotiation MitM attack
Product: [openSUSE] openSUSE Tumbleweed Reporter: Carlos López <carlos.lopez>
Component: SecurityAssignee: Ondřej Súkup <mimi.vx>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: dmueller, thomas.leroy
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-11-10 12:53:25 UTC 
CVE-2023-46445

Summary
An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack.

Details
The rogue extension negotiation attack targets an AsyncSSH client connecting to any SSH server sending an extension info message. The attack exploits an implementation flaw in the AsyncSSH implementation to inject an extension info message chosen by the attacker and delete the original extension info message, effectively replacing it.

A correct SSH implementation should not process an unauthenticated extension info message. However, the injected message is accepted due to flaws in AsyncSSH. AsyncSSH supports the server-sig-algs and global-requests-ok extensions. Hence, the attacker can downgrade the algorithm used for client authentication by meddling with the value of server-sig-algs (e.g. use of SHA-1 instead of SHA-2).

References:
https://github.com/advisories/GHSA-cfc2-wr2v-gxm5
https://github.com/ronf/asyncssh/commit/83e43f5ea3470a8617fc388c72b062c7136efd7e
Comment 1 OBSbugzilla Bot 2023-11-10 13:45:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1217028) was mentioned in
https://build.opensuse.org/request/show/1124972 Factory / python-asyncssh
Comment 2 Thomas Leroy 2023-11-14 08:18:41 UTC 
Factory fixed. Closing