Bug 936695 – VUL-0: CVE-2015-5352: openssh: XSECURITY restrictions bypass

Bug 936695 - (CVE-2015-5352) VUL-0: CVE-2015-5352: openssh: XSECURITY restrictions bypass

(CVE-2015-5352)
Summary:	VUL-0: CVE-2015-5352: openssh: XSECURITY restrictions bypass

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Petr Cerny
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:RedHat:CVE-2015-5352:4.9:(AV:N...
Keywords:

Depends on:
Blocks:	938277
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-07-01 06:24 UTC by Marcus Meissner
Modified:	2019-03-15 19:42 UTC (History)
CC List:	12 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Flags:	yuanjia.li: needinfo? (pcerny)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2015-07-01 06:24:06 UTC

http://www.openssh.com/txt/release-6.9

Security
--------

 * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no,
   connections made after ForwardX11Timeout expired could be permitted
   and no longer subject to XSECURITY restrictions because of an
   ineffective timeout check in ssh(1) coupled with "fail open"
   behaviour in the X11 server when clients attempted connections with
   expired credentials. This problem was reported by Jann Horn.

 * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
   password guessing by implementing an increasing failure delay,
   storing a salted hash of the password rather than the password
   itself and using a timing-safe comparison function for verifying
   unlock attempts. This problem was reported by Ryan Castellucci.

No CVEs assigned yet apparently.

Comment 1 Andreas Stieger 2015-07-01 12:29:22 UTC

(In reply to Marcus Meissner from comment #0)
>  * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no,
>    connections made after ForwardX11Timeout expired could be permitted
>    and no longer subject to XSECURITY restrictions because of an
>    ineffective timeout check in ssh(1) coupled with "fail open"
>    behaviour in the X11 server when clients attempted connections with
>    expired credentials. This problem was reported by Jann Horn.

https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d

>  * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
>    password guessing by implementing an increasing failure delay,
>    storing a salted hash of the password rather than the password
>    itself and using a timing-safe comparison function for verifying
>    unlock attempts. This problem was reported by Ryan Castellucci.

https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=9173d0fbe44de7ebcad8a15618e13a8b8d78902e

> No CVEs assigned yet apparently.

Requesting.

Comment 4 Andreas Stieger 2015-07-02 07:38:00 UTC

CVE assigned for the first issue:

http://seclists.org/oss-sec/2015/q3/9

> https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&
> id=1bf477d3cdf1a864646d59820878783d42357a1d
> 
> 
> Use CVE-2015-5352 for the issue in which the refusal deadline was not
> checked within the x11_open_helper function.

There is some concern about additional changes:

> (There's extra code to
> make the x11_refuse_time value usable within two source-code files,
> but adding that code doesn't seem to be related to any independent
> problem.)

Also for moving code:

> We didn't completely understand the rationale for moving "system(cmd)"
> after the x11_refuse_time assignment, or whether this is addressing an
> independent problem.[...]

Asked upstream for comment on this:

> The scope of CVE-2015-5352 does not include any fail-open
> characteristics of an X server. There could possibly be a separate CVE
> ID if there is an error that needs to be fixed in the X codebase.


On the other issue:

>      * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
>        password guessing by implementing an increasing failure delay,
>        storing a salted hash of the password rather than the password
>        itself and using a timing-safe comparison function for verifying
>        unlock attempts.
> 
> 
> Our current thought is that a CVE ID may not be needed because attacks
> against ssh-agent locking don't cross a privilege boundary. In other
> words, the changelog entry could be interpreted to mean addition of a
> new security feature related to a threat model that wasn't in the
> previous design goals (e.g., password guessing by malware running
> under the same account).

I have asked upstream for comment.

Comment 5 Marcus Meissner 2015-07-09 06:14:31 UTC

A write up for CVE-2015-5352: https://thejh.net/written-stuff/openssh-6.8-xsecurity

Comment 6 Jason Dian 2015-07-15 08:58:52 UTC

(In reply to Marcus Meissner from comment #5)
> A write up for CVE-2015-5352:
> https://thejh.net/written-stuff/openssh-6.8-xsecurity
do skes11sp3 &sles11sp1 & sles10sp4 affected by this cve.

Comment 7 Jason Dian 2015-07-15 09:30:24 UTC

(In reply to Jason Dian from comment #6)
> (In reply to Marcus Meissner from comment #5)
> > A write up for CVE-2015-5352:
> > https://thejh.net/written-stuff/openssh-6.8-xsecurity
> do skes11sp3 &sles11sp1 & sles10sp4 affected by this cve.

(In reply to Marcus Meissner from comment #5)
> A write up for CVE-2015-5352:
> https://thejh.net/written-stuff/openssh-6.8-xsecurity
when will the patch be released ?

Comment 8 Andreas Stieger 2015-07-15 12:00:26 UTC

Digest of impact: A malicious SSH server could gain compromising access to the X session of a client connecting with ssh -X

Adjusting severity.

Comment 9 Swamp Workflow Management 2015-07-15 15:52:51 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-07-29.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62212

Comment 13 Sebastian Krahmer 2015-08-04 12:09:18 UTC

For the X11 timeouting mechanism:
If certain versions dont support that feature/protection, we dont need
to port that feature just to fix it. If there is no such option, we
dont need to fix that.

For the agent-locking: The salting/hashing patch sounds like very intrusive with
the risk of breaking other things. IMHO it would be sufficient to
just use the increased-delay and time-constant-compare part of the patchset
to fix openssh versions that dont have blowfish and bcrypt-pbkdf available.

For all other distros which have the feaures and building blocks
available, they should get the "full" patch.

Comment 15 Petr Cerny 2015-08-04 14:26:32 UTC

Hm, timingsafe_bcmp arrived at about the same time blowfish and bcrypt-pbkdf did. Still it's rather straightforward.

Comment 16 Jason Dian 2015-09-06 07:04:33 UTC

the patchs have been in QA for long time. customer want to know when they will be released ?

Comment 18 Marcus Meissner 2015-09-10 09:40:57 UTC

QA: no reproducer available at this time.

Comment 19 Swamp Workflow Management 2015-09-11 13:10:21 UTC

SUSE-SU-2015:1544-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 903649,932483,936695,938746,943006,943010
CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600,CVE-2015-6563,CVE-2015-6564
Sources used:
SUSE Linux Enterprise Server 12 (src):    openssh-6.6p1-29.1, openssh-askpass-gnome-6.6p1-29.1
SUSE Linux Enterprise Desktop 12 (src):    openssh-6.6p1-29.1, openssh-askpass-gnome-6.6p1-29.1

Comment 20 Swamp Workflow Management 2015-09-11 15:12:31 UTC

SUSE-SU-2015:1547-1: An update that solves 5 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 673532,903649,905118,914309,916549,932483,936695,938746,943006,943010
CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600,CVE-2015-6563,CVE-2015-6564
Sources used:
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    openssh-6.2p2-0.17.1, openssh-askpass-gnome-6.2p2-0.17.3
SUSE Linux Enterprise Server 11-SP3 (src):    openssh-6.2p2-0.17.1, openssh-askpass-gnome-6.2p2-0.17.3

Comment 21 Swamp Workflow Management 2015-09-11 16:12:43 UTC

SUSE-SU-2015:1547-2: An update that solves 5 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 673532,903649,905118,914309,916549,932483,936695,938746,943006,943010
CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600,CVE-2015-6563,CVE-2015-6564
Sources used:
SUSE Linux Enterprise Desktop 11-SP3 (src):    openssh-6.2p2-0.17.1, openssh-askpass-gnome-6.2p2-0.17.3
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openssh-6.2p2-0.17.1, openssh-askpass-gnome-6.2p2-0.17.3

Comment 22 Swamp Workflow Management 2015-09-21 07:12:43 UTC

SUSE-SU-2015:1581-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 673532,903649,905118,914309,916549,932483,936695,938746,943006,943010,945493
CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600,CVE-2015-6563,CVE-2015-6564
Sources used:
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    openssh-6.2p2-0.21.1, openssh-askpass-gnome-6.2p2-0.21.3
SUSE Linux Enterprise Server 11-SP3 (src):    openssh-6.2p2-0.21.1, openssh-askpass-gnome-6.2p2-0.21.3
SUSE Linux Enterprise Desktop 11-SP3 (src):    openssh-6.2p2-0.21.1, openssh-askpass-gnome-6.2p2-0.21.3
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openssh-6.2p2-0.21.1, openssh-askpass-gnome-6.2p2-0.21.3

Comment 24 Swamp Workflow Management 2015-10-07 14:54:39 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-10-21.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62308

Comment 25 Swamp Workflow Management 2015-10-07 16:11:48 UTC

SUSE-SU-2015:1695-1: An update that solves 5 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 903649,932483,936695,938746,939932,943006,943010,945484,945493,947458
CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600,CVE-2015-6563,CVE-2015-6564
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    openssh-6.6p1-13.1, openssh-askpass-gnome-6.6p1-13.3
SUSE Linux Enterprise Desktop 11-SP4 (src):    openssh-6.6p1-13.1, openssh-askpass-gnome-6.6p1-13.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openssh-6.6p1-13.1, openssh-askpass-gnome-6.6p1-13.3

Comment 28 Swamp Workflow Management 2015-10-28 16:11:17 UTC

SUSE-SU-2015:1840-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 673532,903649,905118,914309,932483,936695,938746
CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    openssh-5.1p1-41.69.1, openssh-askpass-gnome-5.1p1-41.69.4

Comment 30 Tristan Ye 2016-02-05 03:47:39 UTC

Guys, does this issue get fixed in SLES 11SP1?

Comment 31 Marcus Meissner 2016-02-05 06:09:29 UTC

the issue affects sles 11 sp1, but no, sles 11 sp1 is out of support and did not get fixed.

Comment 32 Xuanke Han 2016-05-25 07:31:53 UTC

(In reply to Marcus Meissner from comment #31)
> the issue affects sles 11 sp1, but no, sles 11 sp1 is out of support and did
> not get fixed.

Hi Marcus,

According to the comment#9 of bug#938277, CVE-2015-5352 is no affect. Could you check again and give me a confirm?

Thanks,
Xuanke Han

Comment 34 Bernhard Wiedemann 2016-05-27 10:00:56 UTC

This is an autogenerated message for OBS integration:
This bug (936695) was mentioned in
https://build.opensuse.org/request/show/398334 13.2 / openssh

Comment 35 元甲李 2016-07-21 05:50:13 UTC

Dear Petr,Does this PTF complete to test? My customers test this PTF and face the issue at ssh client connection as below:
OMM1:~/CVE-2015-5352 # ls
openssh-5.1p1-41.55.1.9388.0.PTF.948086.x86_64.rpm  openssh-askpass-5.1p1-41.55.1.9388.0.PTF.948086.x86_64.rpm
OMM1:~/CVE-2015-5352 # rpm -qa |grep openssh
openssh-askpass-5.1p1-41.31.36
openssh-5.1p1-41.31.36
OMM1:~/CVE-2015-5352 # rpm -Uvh openssh-5.1p1-41.55.1.9388.0.PTF.948086.x86_64.rpm openssh-askpass-5.1p1-41.55.1.9388.0.PTF.948086.x86_64.rpm
Preparing...                ########################################### [100%]
   1:openssh                ########################################### [ 50%]
Updating etc/sysconfig/ssh...
Starting SuSEconfig, the SuSE Configuration Tool...
Running module permissions only
Reading /etc/sysconfig and updating the system...
Executing /sbin/conf.d/SuSEconfig.permissions...
Finished.
   2:openssh-askpass        ########################################### [100%]
OMM1:~/CVE-2015-5352 # rcsshd restart
Shutting down SSH daemon                                                                                                                                                           done
Starting SSH daemon                                                                                                                                                                done
OMM1:~/CVE-2015-5352 # rcsshd restart
Shutting down SSH daemon                                                                                                                                                           done
Starting SSH daemon                                                                                                                                                                done
OMM1:~/CVE-2015-5352 #  /bin/netstat -nlp | grep sshd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3873/sshd
OMM1:~/CVE-2015-5352 # ssh 127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
RSA key fingerprint is af:94:2c:27:94:dc:bc:2c:f8:38:5e:66:37:bd:bd:53.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (RSA) to the list of known hosts.
Last login: Fri Jul 15 08:49:52 2016 from 192.168.10.9
 
 
 
 
 
 
OMM1:~/CVE-2015-5352 # ssh 192.168.10.110
The authenticity of host '192.168.10.110 (192.168.10.110)' can't be established.
RSA key fingerprint is af:94:2c:27:94:dc:bc:2c:f8:38:5e:66:37:bd:bd:53.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.110' (RSA) to the list of known hosts.
Last login: Fri Jul 15 09:01:22 2016 from localhost
OMM1:~ #
 
 
 
 
 
 
 
OMM1:~ #
root@hatest02 ~]# ssh root@192.168.10.110
Connection closed by 192.168.10.110
[root@hatest02 ~]# ssh -vv root@192.168.10.110
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.10.110 [192.168.10.110] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Connection closed by 192.168.10.110
[root@hatest02 ~]#
 
 
 
 
 
 
OMM1:~ # tailf /var/log/messages
Jul 15 08:49:52 OMM1 sshd[3716]: Accepted publickey for root from 192.168.10.9 port 59326 ssh2
Jul 15 08:50:17 OMM1 shadow[3767]: group already exists - group=sshd, by=0
Jul 15 08:50:17 OMM1 useradd[3768]: account already exists - account=sshd, by=0
Jul 15 08:50:18 OMM1 sshd[3678]: Received signal 15; terminating.
Jul 15 08:50:18 OMM1 sshd[3813]: Server listening on 0.0.0.0 port 22.
Jul 15 08:50:28 OMM1 sshd[3813]: Received signal 15; terminating.
Jul 15 08:50:28 OMM1 sshd[3843]: Server listening on 0.0.0.0 port 22.
Jul 15 08:50:32 OMM1 sshd[3843]: Received signal 15; terminating.
Jul 15 08:50:32 OMM1 sshd[3873]: Server listening on 0.0.0.0 port 22.
Jul 15 08:51:14 OMM1 sshd[3879]: Accepted publickey for root from 127.0.0.1 port 11688 ssh2
^C
OMM1:~ #  /bin/netstat -nlp | grep sshd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3873/sshd
OMM1:~ # lsof -i :22
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
^C
OMM1:~ # lsof -n -i :22
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd    3716 root    3r  IPv4   9506      0t0  TCP 192.168.10.110:ssh->192.168.10.9:59326 (ESTABLISHED)
sshd    3873 root    3u  IPv4   9902      0t0  TCP *:ssh (LISTEN)
ssh     3878 root    3u  IPv4   9990      0t0  TCP 127.0.0.1:11688->127.0.0.1:ssh (ESTABLISHED)
sshd    3879 root    3r  IPv4   9991      0t0  TCP 127.0.0.1:ssh->127.0.0.1:11688 (ESTABLISHED)
OMM1:~ #
 
 and exit it cost long time.
 
OMM1:~ # exit
logout
Connection to 127.0.0.1 closed.
OMM1:~/CVE-2015-5352 # ssh 127.0.0.1
Last login: Fri Jul 15 08:51:14 2016 from localhost
OMM1:~ # exit

Comment 36 Swamp Workflow Management 2017-01-11 10:26:38 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-01-18.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63340

Comment 38 Marcus Meissner 2017-02-23 09:36:28 UTC

posted note: 

"The ForwardX11Timeout feature was added in openssh 5.6p1, so older versions are not affected by this security issue."