-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-23:19.openssh                                    Security Advisory
                                                          The FreeBSD Project

Topic:          Prefix Truncation Attack in the SSH protocol

Category:       contrib
Module:         openssh
Announced:      2023-12-19
Credits:        Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk
Affects:        All supported versions of FreeBSD.
Corrected:      2023-12-18 16:54:31 UTC (stable/14, 14.0-STABLE)
                2023-12-19 20:19:48 UTC (releng/14.0, 14.0-RELEASE-p4)
                2023-12-18 17:10:15 UTC (stable/13, 13.2-STABLE)
                2023-12-19 20:19:57 UTC (releng/13.2, 13.2-RELEASE-p9)
CVE Name:       CVE-2023-48795

Note: While this issue does affect 12.4-STABLE and 12.4-RELEASE, the version
of OpenSSH in 12.4 is old enough the vendor provided patch does not cleanly
apply. As 12.4 goes out of support at the end of December and in order to
quickly get fixes out for 14.0 and 13.2, the FreeBSD Security Team is issuing
this advisory now while feasibility of a 12.4 backport is investigated. Users
with 12.4 are encouraged to either implement the documented workaround or
leverage an up to date version of OpenSSH from the ports/pkg collection.

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

0.   Revision History

v1.0  2023-12-19 -- Initial release
v1.1  2023-12-20 -- Corrected work around paths

I.   Background

OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a variety of services, including
remote shell access.

II.  Problem Description

The SSH protocol executes an initial handshake between the server and the
client. This protocol handshake includes the possibility of several
extensions allowing different options to be selected. Validation of the
packets in the handshake is done through sequence numbers.

III. Impact

A man in the middle attacker can silently manipulate handshake messages to
truncate extension negotiation messages potentially leading to less secure
client authentication algorithms or deactivating keystroke timing attack
countermeasures.

IV.  Workaround

Add the following lines to /etc/ssh/ssh_config and /etc/ssh/sshd_config:
  Ciphers -chacha20-poly1305@openssh.com
  MACs -*etm@openssh.com

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platfrom on FreeBSD 13 and earlier, can be updated via
the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-23:19/openssh.patch
# fetch https://security.FreeBSD.org/patches/SA-23:19/openssh.patch.asc
# gpg --verify openssh.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the applicable daemons, or reboot the system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/14/                              673d1ead65c9    stable/14-n266020
releng/14.0/                            b9856d61e99d  releng/14.0-n265399
stable/13/                              3bafcb9744c9    stable/13-n256910
releng/13.2/                            69bd68ba30c0  releng/13.2-n254651
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://terrapin-attack.com/>

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:19.openssh.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmWCZcoACgkQbljekB8A
Gu8fKA/9EzmQuXALYWjHoXAsizzgP1jw3sjN2sNqlggiAkTiN6pEQs8VlIroeTUn
2hfktGHX9RQ85czE2VDHgP/HMA0cm84CIuF0g+m4cxzO8v1m+5bKd44jEJLjwO/P
/LOmL3PYAfp6S1nHhgprq8Hw1GEKrlySLs+MYj3FwfdcqdTMuvrFsUDef7KQ7MVy
lvj5oJQZitPQ4EGhGiHVobl6vWdU/xuroHlNtdEqExbOqOyVDH7daSfu7ipd20Y+
2plRLjkscwlneLjdDe420cebYWxnvUamD09ppTiANaknjlCTf2Tclb6Wf8nAtxaA
VsJosQSpI730fpxDn7S9ARHYOymwUf1ptQQd5q8Zj415+eVjJ7XGd96z6hx3B3Yt
zJv7mwC22Cp9wqBMvAG9/z7kxZ5buhC25VR795SxnN/uwNqnH/OHxBV4oTEmf5Lk
ytLqIekrPJqTiGgSGPkylXtfFaV0YJnkXGWeAduaoWEKwO8zaFEkMXypc7L5J9XT
rSKMpPL2+vczKyQ534uzjGFLY5o0pI9EhQtDtxHkJ6olN3xfuBT/GkBkxe3JFxmE
2pHvMplErDpprieNhICVey/polRzk7JIA+M1x7o2IZZVnlc1vsPIeXnOOMzY4+7z
qeymU3QQf2pmIZpVL3dp26bnTB0oCRaJwEb5nuMfutIzTz4t1TY=
=hvau
-----END PGP SIGNATURE-----