CVEs in AlmaLinux 8 OpenSSH?

Hi all,

Server is running AlmaLinux 8.10 openssh-8.0p1-25.el8_10.x86_64 , the latest version in the repositories.

I couldn’t find any definite information online whether this version has patches for the following vunlerabilities in OpenSSH versions < 9.6:

  • CVE-2023-38408
  • CVE-2019-16905
  • CVE-2021-41617
  • CVE-2023-51385
  • CVE-2023-48795
  • CVE-2023-51384

Could you confirm the patches for these in the version of OpenSSH in the AlmaLinux 8 repositories?

Thanks,
Joe

Rather than online, you can ask from a package:

rpm -q --changelog openssh-server | grep -E "2023-38408|2019-16905|2021-41617|2023-51385|2023-48795|2023-51384"

Alas, that lists only two.

Back to online? Google for RHEL CVE 2019-16905 yields at least a Bugzilla entry 1767966 – (CVE-2019-16905) CVE-2019-16905 openssh: an integer overflow in the private key parsing code for the XMSS key type that says:

The OpenSSH in Fedora and RHEL is built without the XMSS support so I will close these as a not a bug.
and, more importantly: cve-details says “Not Affected

How about CVE-2023-51385? The cve-details says “Fixed” for RHEL 8.


For these two CVEs, the RHEL 8’s openssh ought to be good. The only open question is, how compatible AlmaLinux 8 is to RHEL 8?

Hi jlehtone,

Thanks for advising. The changelog for OpenSSH does indeed mention CVE-2023-38408 and CVE-2021-41617. After some further looking I found a page on AlmaLinux 8 Errata detailing fixes for CVE-2023-48795 and CVE-2023-51385: ALSA-2024:0606
And a page on RedHat Customer Portal indicating that CVE-2023-51384 is not applicable for OpenSSH 8.0 (only 8.9 to 9.5): cve-details

This leaves only CVE-2019-16905. The Red Hat Bugzilla page linked above does indeed state that this CVE is not applicable for the RHEL version of OpenSSH 8.0 because it is not compiled with XMSS key support.

For these two CVEs, the RHEL 8’s openssh ought to be good. The only open question is, how compatible AlmaLinux 8 is to RHEL 8?

From my limited understanding, AlmaLinux aims to be ABI-compatible with the equivalent version number of RHEL, which I understand to mean that essentially it’s possible to use binaries and shared libraries built for one on the other (correct me if I am wrong here). Would this necessarily mean that the behaviour or feature set of the binaries in each are exactly the same in all cases? In any case, we wouldn’t have access to the RHEL version of OpenSSH without being a customer of Red Hat.

What I’m looking into now is - how can we confirm whether or not openssh-8.0p1-25.el8_10.x86_64 for AlmaLinux 8.10 has XMSS key support? Running e.g. ‘ssh-keygen -t xmss’ from the server itself gives the expected result ‘unknown key type xmss’, and running ‘ssh -Q key’ does not include any mention of xmss in the list. Is it possible to verify this remotely e.g. listing available authentication methods and key types when attempting to connect to the server from an SSH client on another machine?

Thanks again,
Joe

To keep this thread updated in case anyone else gets the same ‘OpenSSH < 9.x’ vulnerabilities listed in the report from a PCI compliance scan (which is why I asked - probably should have mentioned that in the OP!) - here are the details we eventually sent the PCI company, which they accepted as a verified false-positive.

Apologies for the URL clutter in the below, got an error ‘Sorry, new users can only put 2 links in a post’ when I attempted to post it with normal hyperlinks.

The exact version of OpenSSH installed on the server consists of the packages from the following location: https://repo.almalinux.org/almalinux/8.10/BaseOS/x86_64/os/Packages/ - in particular openssh-8.0p1-25.el8_10.x86_64.rpm, openssh-server-8.0p1-25.el8_10.x86_64.rpm.

These are compiled from the sources at: https://git.almalinux.org/rpms/openssh/src/tag/imports/c8/openssh-8.0p1-25.el8_10

See in particular the following included patches, backported from newer versions of OpenSSH, named after the CVEs they fix:

  • https://git.almalinux.org/rpms/openssh/src/tag/imports/c8/openssh-8.0p1-25.el8_10/SOURCES/openssh-8.7p1-upstream-cve-2021-41617.patch
  • https://git.almalinux.org/rpms/openssh/src/tag/imports/c8/openssh-8.0p1-25.el8_10/SOURCES/openssh-9.3p1-upstream-cve-2023-38408.patch
  • https://git.almalinux.org/rpms/openssh/src/tag/imports/c8/openssh-8.0p1-25.el8_10/SOURCES/openssh-9.6p1-CVE-2023-48795.patch
  • https://git.almalinux.org/rpms/openssh/src/tag/imports/c8/openssh-8.0p1-25.el8_10/SOURCES/openssh-9.6p1-CVE-2023-51385.patch

The bug report of CVE-2023-51384 (https://bugzilla.redhat.com/show_bug.cgi?id=2255268) references the following code that introduces the vulnerability: https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b
This code is not present in the sources of openssh-8.0p1-25.el8_10 in the AlmaLinux 8.10 release (original openssh-8.0p1.tar.gz with matching SHA1 checksum (https://git.almalinux.org/rpms/openssh/src/tag/imports/c8/openssh-8.0p1-25.el8_10/.openssh.metadata) and PGP signature (https://git.almalinux.org/rpms/openssh/src/branch/c8/SOURCES/openssh-8.0p1.tar.gz.asc) plus patches in the repository linked above).

CVE-2019-16905 (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-16905) requires OpenSSH to be compiled with XMSS key support using the WITH_XMSS macro (https://ssd-disclosure.com/ssd-advisory-openssh-pre-auth-xmss-integer-overflow/) (i.e. -DWITH_XMSS compiler flag) which is not present in the build specification for openssh-8.0p1-25.el8_10 in the AlmaLinux 8.10 release (https://git.almalinux.org/rpms/openssh/src/branch/c8/SPECS/openssh.spec).

The sources linked above were built into the AlmaLinux 8.10 release as can be seen in this entry of the AlmaLinux Build System: https://build.almalinux.org/build/16589
More information on the AlmaLinux Build System can be found in the AlmaLinux Build System documentation and wiki: https://github.com/AlmaLinux/build-system https://github.com/AlmaLinux/build-system/wiki/

I also included terminal output from the server of OS info as seen in the /etc/os-release file, information of all installed OpenSSH packages and SHA1 checksums of all files included in each, and the resolved URLs of the packages in the repos used by the server, using the following commands (may be different on your server’s OS):

cat /etc/os-release
dnf repoquery --info --installed openssh*
dnf repoquery --location openssh*
dnf repoquery -l openssh | xargs sha1sum
dnf repoquery -l openssh-clients | xargs sha1sum
dnf repoquery -l openssh-server | xargs sha1sum

Hope that helps anyone else currently having fun with PCI compliance reports.

– Joe