Bug 1818103
| Summary: | SSH Server CBC Mode Ciphers Enabled in RHCOS | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Sara Ferguson <sferguso> |
| Component: | crypto-policies | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.1 | CC: | bbreard, dustymabe, dyocum, imcleod, jligon, nmavrogi, nstielau, tmraz, walters |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-31 07:38:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Comment 1
Colin Walters
2020-03-27 17:25:08 UTC
I happened to have a RHEL8 VM booted in OpenStack and it behaves the same way. This looks like it should be a RHEL bug.
```
$ sshq -l cloud-user 10.0.149.74
Warning: Permanently added '10.0.149.74' (ECDSA) to the list of known hosts.
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Wed Mar 11 12:07:15 2020 from 10.18.41.196
[cloud-user@micah-rhel8-1105a ~]$ cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.1 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.1"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.1 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8.1:GA"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.1
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.1"
[cloud-user@micah-rhel8-1105a ~]$ rpm -q openssh
openssh-8.0p1-4.el8_1.x86_64
[cloud-user@micah-rhel8-1105a ~]$ sudo sshd -T | grep -i cipher
ciphers chacha20-poly1305,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm,aes256-gcm
[cloud-user@micah-rhel8-1105a ~]$ exit
logout
Connection to 10.0.149.74 closed.
$ sshq -l cloud-user 10.0.149.74 -c aes256-cbc -vvv
OpenSSH_8.0p1, OpenSSL 1.1.1d FIPS 10 Sep 2019
debug1: Reading configuration data /home/miabbott/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
- - - - - - - - -8<- - - - - - - - -
debug2: ciphers ctos: aes256-cbc
debug2: ciphers stoc: aes256-cbc
- - - - - - - - -8<- - - - - - - - -
debug2: ciphers ctos: aes256-gcm,chacha20-poly1305,aes256-ctr,aes256-cbc,aes128-gcm,aes128-ctr,aes128-cbc
debug2: ciphers stoc: aes256-gcm,chacha20-poly1305,aes256-ctr,aes256-cbc,aes128-gcm,aes128-ctr,aes128-cbc
- - - - - - - - -8<- - - - - - - - -
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Fri Mar 27 14:34:45 2020 from 10.3.113.229
[cloud-user@micah-rhel8-1105a ~]$
```
Please note that the vulnerability (fairly low impact one as described on http://www.openssh.com/txt/cbc.adv) exists only when the plain MAC algorithms are used (not the encrypt-then-mac algorithms with -etm). The cbc algorithms are also enabled for interoperability with other SSH implementations. Jakub, perhaps we could disable them in other policies than LEGACY? Although that would be quite problematic to do given we have no special configuration value for SSH ciphers and disabling CBC ciphers everywhere is probably something we do not want to do. Well ... first of all, the original CVE from 2008 was fixed in 2009 to mitigate the attack to be unfeasible [1]: > Probability of successful recovering 32 bits of plain text is roughly 2^-18 We have this well documented in the KBS [1]. Additionally, these are enabled only later in the list of supported algorithms for interoperability, so if both client and server are under your control (and support something reasonable) and you do not mess with configuration, they will never be negotiated (no, no, the algorithm negotiation is authenticated, which prevents its modification by man in the middle). This means, there is really no security issue coming from this even if your scanner or random link on the internet says otherwise. On the other hand, that they are no longer enabled in upstream openssh, which makes it little bit more pushing for us to follow the suit. I would not like to introduce another complexity to the crypto policies, but if Tomas is fine with that, we can change this. [1] https://access.redhat.com/solutions/420283 But certainly nothing we would be able to fix in OpenSSH now. Moving to crypto policies, which defines this default for us. One thing we should document though and be sure works is switching crypto policies via the MCO https://github.com/openshift/machine-config-operator/ And also an example for hardening SSH directly. (In reply to Colin Walters from comment #7) > One thing we should document though and be sure works is switching crypto > policies via the MCO https://github.com/openshift/machine-config-operator/ > And also an example for hardening SSH directly. Please report that as an issue against the relevant documentation component. Given the risk of disabling access to an RHEL-8 server for legacy clients that support only CBC modes I am afraid that dropping the CBC modes from even the DEFAULT policy would be too risky. I am thus closing this as WONTFIX for RHEL-8. For RHEL-9 I'd propose to drop the CBC modes from the SSH configs altogether. I will handle this change upstream. |