Headline
Ubuntu Security Notice USN-7108-1
Ubuntu Security Notice 7108-1 - Fabian Bäumer, Marcus Brinkmann, and Joerg Schwenk discovered that AsyncSSH did not properly handle the extension info message. An attacker able to intercept communications could possibly use this issue to downgrade the algorithm used for client authentication. Fabian Bäumer, Marcus Brinkmann, and Joerg Schwenk discovered that AsyncSSH did not properly handle the user authentication request message. An attacker could possibly use this issue to control the remote end of an SSH client session via packet injection/removal and shell emulation.
==========================================================================Ubuntu Security Notice USN-7108-1November 18, 2024python-asyncssh vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several issues were fixed in AsyncSSH.Software Description:- python-asyncssh: asyncio-based client and server implementation of SSHv2 protocolDetails:Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk discovered that AsyncSSHdid not properly handle the extension info message. An attacker able tointercept communications could possibly use this issue to downgradethe algorithm used for client authentication. (CVE-2023-46445)Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk discovered that AsyncSSHdid not properly handle the user authentication request message. Anattacker could possibly use this issue to control the remote end of an SSHclient session via packet injection/removal and shell emulation.(CVE-2023-46446)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS python3-asyncssh 2.10.1-2ubuntu0.1+esm1 Available with Ubuntu ProUbuntu 22.04 LTS python3-asyncssh 2.5.0-1ubuntu0.1Ubuntu 20.04 LTS python3-asyncssh 1.12.2-1ubuntu0.2In general, a standard system update will make all the necessary changes.References: https://ubuntu.com/security/notices/USN-7108-1 CVE-2023-46445, CVE-2023-46446Package Information:https://launchpad.net/ubuntu/+source/python-asyncssh/2.5.0-1ubuntu0.1https://launchpad.net/ubuntu/+source/python-asyncssh/1.12.2-1ubuntu0.2Related news
An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack.
An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation.
### Summary An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation. ### Details The rogue session attack targets any SSH client connecting to an AsyncSSH server, on which the attacker must have a shell account. The goal of the attack is to log the client into the attacker's account without the client being able to detect this. At that point, due to how SSH sessions interact with shell environments, the attacker has complete control over the remote end of the SSH session. The attacker receives all keyboard input by the user, completely controls the terminal output of the user's session, can send and receive data to/from forwarded network ports, and is able to create signatures with a forwarded SSH Agent, if any. The result is a complete break of the confidentiality and integrity of the secure channel, providing a strong vector for a targeted phishing campaign against the user. For e...
### Summary An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack. ### Details The rogue extension negotiation attack targets an AsyncSSH client connecting to any SSH server sending an extension info message. The attack exploits an implementation flaw in the AsyncSSH implementation to inject an extension info message chosen by the attacker and delete the original extension info message, effectively replacing it. A correct SSH implementation should not process an unauthenticated extension info message. However, the injected message is accepted due to flaws in AsyncSSH. AsyncSSH supports the server-sig-algs and global-requests-ok extensions. Hence, the attacker can downgrade the algorithm used for client authentication by meddling with the value of server-sig-algs (e.g. use of SHA-1 instead of SHA-2). ### PoC <details> <summary>AsyncSSH Client 2.14.0 (simple_client.py example) connecting to Asyn...