From 564490a50e0195a716981ae9456e9b1930a7a6ba Mon Sep 17 00:00:00 2001 From: Andrei Gherzan Date: Thu, 30 Aug 2018 12:51:48 +0100 Subject: [PATCH] dropbear/sumo: Enhanced security options We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Fixes: #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - sumo Signed-off-by: Andrei Gherzan --- .../dropbear/dropbear_2017.75.bbappend | 4 ++ .../0001-Secure-configuration-options.patch | 65 +++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 meta-resin-sumo/recipes-core/dropbear/dropbear_2017.75.bbappend create mode 100644 meta-resin-sumo/recipes-core/dropbear/files/0001-Secure-configuration-options.patch diff --git a/meta-resin-sumo/recipes-core/dropbear/dropbear_2017.75.bbappend b/meta-resin-sumo/recipes-core/dropbear/dropbear_2017.75.bbappend new file mode 100644 index 0000000000..b40fc91888 --- /dev/null +++ b/meta-resin-sumo/recipes-core/dropbear/dropbear_2017.75.bbappend @@ -0,0 +1,4 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +SRC_URI += " \ + file://0001-Secure-configuration-options.patch \ + " diff --git a/meta-resin-sumo/recipes-core/dropbear/files/0001-Secure-configuration-options.patch b/meta-resin-sumo/recipes-core/dropbear/files/0001-Secure-configuration-options.patch new file mode 100644 index 0000000000..653499673d --- /dev/null +++ b/meta-resin-sumo/recipes-core/dropbear/files/0001-Secure-configuration-options.patch @@ -0,0 +1,65 @@ +From ae62abd529b985130f747277758fa078780aeda6 Mon Sep 17 00:00:00 2001 +From: Andrei Gherzan +Date: Thu, 30 Aug 2018 12:33:08 +0100 +Subject: [PATCH] Secure configuration options + +We deactivate various configuration knobs which have security concerns: + +* DROPBEAR_X11FWD - no need to run X over ssh +* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is + reported by OpenVAS as a low severity security issue. +* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow + an attacker to obtain plaintext from a block of cyphertext. +* DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in + newer versions mentioned as "too small for security". See: +https://github.com/mkj/dropbear/blob/d740dc548924f2faf0934e5f9a4b83d2b5d6902d/default_options.h#L141 + +Signed-off-by: Andrei Gherzan +Upstream-status: Inappropriate [configuration] +--- + options.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/options.h b/options.h +index f6705c6..ec4f414 100644 +--- a/options.h ++++ b/options.h +@@ -55,7 +55,7 @@ much traffic. */ + #define DROPBEAR_SMALL_CODE + + /* Enable X11 Forwarding - server only */ +-#define ENABLE_X11FWD ++/* #define ENABLE_X11FWD */ + + /* Enable TCP Fowarding */ + /* 'Local' is "-L" style (client listening port forwarded via server) +@@ -100,7 +100,7 @@ much traffic. */ + + /* Enable CBC mode for ciphers. This has security issues though + * is the most compatible with older SSH implementations */ +-#define DROPBEAR_ENABLE_CBC_MODE ++/* #define DROPBEAR_ENABLE_CBC_MODE */ + + /* Enable "Counter Mode" for ciphers. This is more secure than normal + * CBC mode against certain attacks. It is recommended for security +@@ -131,7 +131,7 @@ If you test it please contact the Dropbear author */ + * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, + * which are not the standard form. */ + #define DROPBEAR_SHA1_HMAC +-#define DROPBEAR_SHA1_96_HMAC ++/* #define DROPBEAR_SHA1_96_HMAC */ + #define DROPBEAR_SHA2_256_HMAC + #define DROPBEAR_SHA2_512_HMAC + #define DROPBEAR_MD5_HMAC +@@ -170,7 +170,7 @@ If you test it please contact the Dropbear author */ + + /* Group14 (2048 bit) is recommended. Group1 is less secure (1024 bit) though + is the only option for interoperability with some older SSH programs */ +-#define DROPBEAR_DH_GROUP1 1 ++#define DROPBEAR_DH_GROUP1 0 + #define DROPBEAR_DH_GROUP14 1 + + /* Control the memory/performance/compression tradeoff for zlib. +-- +2.7.4 +