oss-sec mailing list archives

Re: Announce: OpenSSH 9.3p2 released

From: Demi Marie Obenour <demi () invisiblethingslab com>
Date: Thu, 20 Jul 2023 21:22:08 -0400

On Fri, Jul 21, 2023 at 11:04:49AM +1000, Matthew Fernandez wrote:



On 7/20/23 23:41, Sevan Janiyan wrote:

On 20/07/2023 14:24, Demi Marie Obenour wrote:

Should there be a system-wide configuration file containing a list
of known-good PKCS#11 libraries? ssh-agent having to guess if
something is a PKCS#11 library is less than awesome.


There's a compile time setting for paths from which you are able to load
libraries from.


I don’t think this helps much though, right? The Qualys research that
motivated this found an exploit chain using only libs present in /usr/lib in
a default Ubuntu install. If you want to lock down loading to a specific
non-/usr/lib path that you have control over, this suggests you know and are
in control of the PKCS#11 providers you’re going to support. In which case,
why not avoid dynamic loading to begin with? I guess the allowlist and new
defaults are the answer to this conundrum though.


IMO the root cause of this problem is that PKCS#11 libraries are installed
in /usr/lib, rather than in /usr/lib/pkcs11 or another subdirectory.
There should be an automated way to check if a library is a PKCS#11
library without having to load it.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Attachment: signature.asc
Description:

Current thread:

Announce: OpenSSH 9.3p2 released Damien Miller (Jul 19)
- Re: Announce: OpenSSH 9.3p2 released Demi Marie Obenour (Jul 20)
  - Re: Announce: OpenSSH 9.3p2 released Sevan Janiyan (Jul 20)
    - Re: Announce: OpenSSH 9.3p2 released Matthew Fernandez (Jul 20)
    - Re: Announce: OpenSSH 9.3p2 released Marcus Meissner (Jul 21)
    - Re: Announce: OpenSSH 9.3p2 released Demi Marie Obenour (Jul 21)
    - Re: Announce: OpenSSH 9.3p2 released Qualys Security Advisory (Jul 21)
    - Re: Announce: OpenSSH 9.3p2 released Sevan Janiyan (Jul 21)