Ubuntu
openssh package

Include mitigation for CVE-2020-14145

Bug #2030275 reported by Marc Deslauriers
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Nishit Majithia
Xenial
Fix Released
Undecided
Nishit Majithia
Bionic
Fix Released
Undecided
Nishit Majithia
Focal
Fix Released
Undecided
Nishit Majithia

Bug Description

While there is no actual fix for CVE-2020-14145, as the upstream OpenSSH developers have stated that there are no plans to change the behaviour of OpenSSH to fix the issue, there does exist a commit that does mitigate the issue in certain scenarios.

When the client has a host key that happens to match the first entry in the preferred algorithms list, the mitigation will have the client send the default algorithm ordering to the server.

See:

https://www.openwall.com/lists/oss-security/2020/12/02/1
https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d

This was included in Ubuntu 22.04 LTS and higher, but has not been included in 22.04 LTS and previous versions.

We should release an update with this mitigation included.

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Changed in openssh (Ubuntu):
status: New → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Marc Deslauriers (mdeslaur)
Changed in openssh (Ubuntu Trusty):
assignee: nobody → Nishit Majithia (0xnishit)
Changed in openssh (Ubuntu Xenial):
assignee: nobody → Nishit Majithia (0xnishit)
Changed in openssh (Ubuntu Bionic):
assignee: nobody → Nishit Majithia (0xnishit)
Changed in openssh (Ubuntu Focal):
assignee: nobody → Nishit Majithia (0xnishit)
Changed in openssh (Ubuntu Trusty):
status: New → In Progress
Changed in openssh (Ubuntu Xenial):
status: New → In Progress
Changed in openssh (Ubuntu Bionic):
status: New → In Progress
Changed in openssh (Ubuntu Focal):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:8.2p1-4ubuntu0.9

---------------
openssh (1:8.2p1-4ubuntu0.9) focal-security; urgency=medium

  * SECURITY UPDATE: information leak in algorithm negotiation (LP: #2030275)
    - debian/patches/CVE-2020-14145-mitigation.patch: tweak the client
      hostkey preference ordering algorithm in sshconnect2.c.
    - Note: This update does not solve CVE-2020-14145, but does mitigate
      the issue in the specific scenario where the user has a key that
      matches the best-preference default algorithm.

 -- Marc Deslauriers <email address hidden> Fri, 04 Aug 2023 18:02:08 -0400

Changed in openssh (Ubuntu Focal):
status: In Progress → Fix Released
Revision history for this message
Nishit Majithia (0xnishit) wrote :

The package has been updated with the mitigation
https://ubuntu.com/security/notices/USN-6279-1

Changed in openssh (Ubuntu Trusty):
status: In Progress → Fix Released
Changed in openssh (Ubuntu Xenial):
status: In Progress → Fix Released
Changed in openssh (Ubuntu Bionic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.