Gentoo Linux Security Advisory 202212-6 - Multiple vulnerabilities have been found in OpenSSH, the worst of which could result in arbitrary code execution. Versions less than 9.1_p1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-06  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: OpenSSH: Multiple Vulnerabilities  
     Date: December 28, 2022  
     Bugs: #874876, #733802, #815010  
       ID: 202212-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in OpenSSH, the worst of which  
could result in arbitrary code execution.

Background  
=========  
OpenSSH is a free application suite consisting of server and clients  
that replace tools like telnet, rlogin, rcp and ftp with more secure  
versions offering additional functionality.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-misc/openssh           < 9.1_p1                    >= 9.1_p1

Description  
==========  
Multiple vulnerabilities have been discovered in OpenSSH. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All OpenSSH users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-misc/openssh-9.1_p1"

References  
=========  
[ 1 ] CVE-2020-15778  
      https://nvd.nist.gov/vuln/detail/CVE-2020-15778

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-06

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-06

StreamX applications from versions 6.02.01 to 6.04.34 are affected by a logic bug that allows to bypass the implemented authentication scheme. StreamX applications using StreamView HTML component with the public web server feature activated are affected.

CVE-2022-4779: StreamX release notes - Elvexys SA

A vulnerability was found in Dropbox merou. It has been classified as critical. Affected is the function add_public_key of the file grouper/public_key.py of the component SSH Public Key Handler. The manipulation of the argument public_key_str leads to injection. It is possible to launch the attack remotely. The name of the patch is d93087973afa26bc0a2d0a5eb5c0fde748bdd107. It is recommended to apply a patch to fix this issue. VDB-216906 is the identifier assigned to this vulnerability.

@@ -11,7 +11,7 @@

get\_public\_keys\_of\_user,

PublicKeyParseError,

)

from tests.constants import SSH\_KEY\_1, SSH\_KEY\_BAD

from tests.constants import SSH2\_KEY\_BAD, SSH\_KEY\_1, SSH\_KEY\_BAD, SSH\_KEY\_BAD\_MULTILINE

from tests.fixtures import session, users \# noqa: F401

  

  

@@ -41,6 +41,16 @@ def test\_bad\_key(session, users): # noqa: F811

assert get\_public\_keys\_of\_user(session, user.id) \== \[\]

  

  

@pytest.mark.parametrize("key", \[SSH\_KEY\_BAD\_MULTILINE, SSH2\_KEY\_BAD\])

def test\_multiline\_key(key, session, users): \# noqa: F811

user \= users\["cbguder@a.co"\]

  

with pytest.raises(PublicKeyParseError, match\="Public key cannot have newlines"):

add\_public\_key(session, user, key)

  

assert get\_public\_keys\_of\_user(session, user.id) \== \[\]

  

  

@patch("grouper.public\_key.get\_plugin\_proxy")

def test\_rejected\_key(get\_plugin\_proxy, session, users): \# noqa: F811

get\_plugin\_proxy.return\_value \= PluginProxy(\[PublicKeyPlugin()\])

CVE-2022-4768: Block injection attack in ssh public key handling (#673) · dropbox/merou@d930879

Some Dahua software products have a vulnerability of unauthenticated un-throttled ICMP requests on remote DSS Server. After bypassing the firewall access control policy, by sending a specific crafted packet to the vulnerable interface, an attacker could exploit the victim server to launch ICMP request attack to the designated target host.

**Advisory ID****：**DHCC-SA-202212-001

**First Published****：**2022-12-20

Cybersecurity is an on-going challenge for all IoT connected device manufacturers and users, as it is for all digital products and services. Dahua Technology is committed to developing and maintaining state-of-the-art cybersecurity practices, including through our product design process and our customer-facing Dahua Cybersecurity Center (DHCC) for transparent vulnerability reporting and handling.

In response to security issues reported by Bashis from IPVM, Dahua immediately conducted a comprehensive investigation of affected product models and has developed patches and firmware that fix the vulnerabilities. Please download from https://software.dahuasecurity.com/en/download or contact Dahua local technical support to upgrade.

We strongly suggest, consistent with cybersecurity best practice, that all Dahua customers follow our security advisory, in order to ensure their systems are up-to-date and maximally protected. In the meantime, customers with other concerns on cybersecurity related issues, please feel free to contact us at cybersecurity@dahuatech.com.

**Summary**

1.    CVE-2022- 45423

Some Dahua software products have a vulnerability of unauthenticated request of MQTT credentials. An attacker can obtain encrypted MQTT credentials by sending a specially crafted packet to the vulnerable interface (the credentials cannot be directly exploited).

2.    CVE-2022- 45424

Some Dahua software products have a vulnerability of unauthenticated request of AES crypto key. An attacker can obtain the AES crypto key by sending a specially crafted packet to the vulnerable interface.

3.    CVE-2022- 45425

Some Dahua software products have a vulnerability of using of hard-coded cryptographic key. An attacker can obtain the AES crypto key by exploiting this vulnerability.

4.    CVE-2022- 45426

Some Dahua software products have a vulnerability of unrestricted download of file. After obtaining the permissions of ordinary users, by sending a specially crafted packet to the vulnerable interface, an attacker can download arbitrary files.

5.    CVE-2022- 45427

Some Dahua software products have a vulnerability of unrestricted upload of file. After obtaining the permissions of administrators, by sending a specially crafted packet to the vulnerable interface, an attacker can upload arbitrary files.

6.    CVE-2022- 45428

Some Dahua software products have a vulnerability of sensitive information leakage. After obtaining the permissions of administrators, by sending a specially crafted packet to the vulnerable interface, an attacker can obtain the debugging information.

7.    CVE-2022- 45429

Some Dahua software products have a vulnerability of server-side request forgery (SSRF). An Attacker can access internal resources by concatenating links (URL) that conform to specially rules.

8.    CVE-2022- 45430

Some Dahua software products have a vulnerability of unauthenticated enable or disable SSHD service. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could enable or disable the SSHD service.

Note: This vulnerability affects Linux based system only.

9.    CVE-2022- 45431

Some Dahua software products have a vulnerability of unauthenticated restart of remote DSS Server. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could unauthenticated restart of remote DSS Server.

Note: This vulnerability affects Linux based system only.

10.   CVE-2022- 45432

Some Dahua software products have a vulnerability of unauthenticated search for devices. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could unauthenticated search for devices in range of IPs from remote DSS Server.

Note: This vulnerability affects Windows based system only.

11.   CVE-2022- 45433

Some Dahua software products have a vulnerability of unauthenticated traceroute host from remote DSS Server. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could get the traceroute results.

Note: This vulnerability affects Windows based system only.

12.   CVE-2022- 45434

Some Dahua software products have a vulnerability of unauthenticated un-throttled ICMP requests on remote DSS Server. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could exploit the victim server to launch ICMP request attack to the designated target host.

Note: This vulnerability affects Windows based system only.

**Vulnerability Score**

The vulnerability classification has been performed by using the CVSSv3.1 scoring system (http://www.first.org/cvss/speciallyation-document).

CVE-2022-45423

Base Score: 5.3(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Temporal Score: 4.8(E:P/RL:O/RC:C)

CVE-2022-45424

Base Score: 7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Temporal Score: 6.7(E:P/RL:O/RC:C)

CVE-2022-45425

Base Score: 7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Temporal Score: 6.7(E:P/RL:O/RC:C)

CVE-2022-45426

Base Score: 7.7(AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

Temporal Score: 6.9(E:P/RL:O/RC:C)

CVE-2022-45427

Base Score: 8.7(AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H)

Temporal Score: 7.8(E:P/RL:O/RC:C)

CVE-2022-45428

Base Score: 4.9(AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Temporal Score: 4.4(E:P/RL:O/RC:C)

CVE-2022-45429

Base Score: 9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Temporal Score: 8.8(E:P/RL:O/RC:C)

CVE-2022-45430

Base Score: 5.8(AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)

Temporal Score: 5.2(E:P/RL:O/RC:C)

CVE-2022-45431

Base Score: 8.6(AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

Temporal Score: 7.7(E:P/RL:O/RC:C)

CVE-2022-45432

Base Score: 5.8(AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

Temporal Score: 5.2(E:P/RL:O/RC:C)

CVE-2022-45433

Base Score: 5.8(AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

Temporal Score: 5.2(E:P/RL:O/RC:C)

CVE-2022-45434

Base Score: 5.8(AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)

Temporal Score: 5.2(E:P/RL:O/RC:C)

**Affected Products & Fix Software**

The following product series and models are currently known to be affected.

Affected Model

Affected Version

Fix Software

Affected Area

DSS Professional

V7.002.1760000.2

Patch Installer for DSS Professional V7

Overseas

V8.0.2

Patch Installer for DSS Professional V8.0.2

V8.0.4

Patch Installer for DSS Professional V8.0.4

V8.1

Patch Installer for DSS Professional V8.1

V8.1.1

Patch Installer for DSS Professional V8.1.1

DSS Express

V1.000.175J000.2

Patch Installer for DSS Express V7

Overseas

V8.0.2

Patch Installer for DSS Express V8.0.2

V8.0.4

Patch Installer for DSS Express V8.0.4

V8.1

Patch Installer for DSS Express V8.1

V8.1.1

Patch Installer for DSS Express V8.1.1

DHI-DSS7016D-S2/DHI-DSS7016DR-S2

V1.001.0000001.2

Patch Install for DSS7016D/R-S2 V7

Overseas

V8.0.2

Patch Installer for DSS7016D/DR-S2 V8.0.2

V8.0.4

Patch Installer for DSS7016D/DR-S2 V8.0.4

V8.1

DSS7016D/DR-S2 V8.1

DHI-DSS4004-S2

V1.001.0000000.2

Patch Install for DSS4004-S2 V7

Overseas

V8.0.2

Patch Installer for DSS4004-S2 V8.0.2

V8.0.4

Patch Installer for DSS4004-S2 V8.0.4

V8.1

DSS4004-S2 V8.1

Note: To view the version, please log in to the Web and view it on the “About” page.

**Fix Software Download**

Please download the corresponding fix software or its newer version as listed in the above table from Dahua website, or contact Dahua local technical support to upgrade.

• Dahua Official website: https://software.dahuasecurity.com/en/download

• Dahua Technical Support Personnel.

**Support Resources**

For any questions or concerns related to our products and solutions, please contact Dahua DHCC at cybersecurity@dahuatech.com.

**Acknowledgment**

We acknowledge the support of Bashis from IPVM who discovered these vulnerabilities and reported them to DHCC.

**Revision History**

Version

Description

Date

V1.0

Initial public release

2022-12-20

CVE-2022-45434: Security Advisory – Vulnerabilities found in Dahua software products

The unfettered collaboration of the GitHub model creates a security headache. Follow these seven principles to help relieve the pain.

Last week Okta announced a security breach that involved an attacker gaining access to its source code hosted in GitHub. That's just the latest example in a long string of attacks gaining access to company source code in GitHub. Dropbox, Gentoo Linux, and Microsoft have all had their GitHub accounts targeted before.

With 90 million active users, GitHub is the most popular source code management tool for both open source and private enterprise code repositories. It's a major piece of fundamental infrastructure and the keeper of some of the most sensitive assets and data in the world.

It's no wonder that attackers are increasingly going after source code. In some cases, such as Okta, they might be trying to gain access to the source code. More often, the attackers are looking for sensitive information to use in a subsequent attack.

An attacker who can gain access to private source code can examine it for vulnerabilities and then exploit those vulnerabilities in subsequent attacks. Attackers can also harvest hardcoded keys, passwords, and other credentials that might be stored in GitHub to gain access to cloud services and databases hosted in AWS, Azure, or GCP. A single stolen repository can yield intellectual property, valid credentials, and a nice list of vulnerabilities in production software that are ready to be exploited.

Shiny Hunters, an attack group known to specifically target private GitHub repositories, has breached tens of companies using this technique, and sold their data across various Dark Web marketplaces.

**Securing the Organization's GitHub Environment**

There is no question that GitHub is a critical part of the organization's infrastructure, but locking it down is a complex and challenging identity security problem. The beauty of the GitHub model is that it allows for unfettered collaboration, but that also creates one of the biggest headaches in modern IT security.

Just think about it: Anyone remotely technical in 2022 has a GitHub account. And you can use your GitHub account for everything. We can use these accounts for personal side projects, open source contributions, and our work in public and private code repositories that are ultimately owned by our employers. That is a lot of heavy lifting for a single identity!

You can also use the "Sign in with GitHub" feature to use your GitHub identity in other websites and services outside of just GitHub itself. And there's more: GitHub is unique in that you don't just sign in to their website, you also pull, push, and clone code from GitHub's servers down to your local machine via git operations over HTTPS and SSH, which themselves require your GitHub identity.

Clearly GitHub picked up on these security implications when it announced the deprecation of usernames and passwords for git operations last year — a step in the right direction.

**7 Tips for Securing Your GitHub**

While GitHub provides tools to lock down the environment, organizations need to know how to use them. Unfortunately, some of the most important security capabilities require GitHub Enterprise. Nonetheless, here are seven principles for better GitHub security.

1.  **Don't allow personal accounts for work.** We get it, your company has a few public repositories and you can build your credibility by showing off some public contributions in your next job interview. Your personal GitHub account is part of your brand. Unfortunately, this is also one of the biggest holes in organizations using GitHub today: They do not strictly govern the use of personal accounts for work purposes. As tempting as it might be, personal accounts should not be used for work. There's just no way to control who has access to that personal Gmail address that you used to create your personal GitHub account.
2.  **Require authentication via company SSO.** Unfortunately, GitHub shows up prominently on the SSO Wall of Shame. That's right — you need to pay extra for SSO integration. Once you have GitHub Enterprise, you can connect GitHub to your company SSO, such as Okta or Azure AD or Google Workspace, and you can lock down your organization to only allow authentication via SSO.
3.  **Require 2FA on all accounts.** Even if you enforce two-factor authentication (2FA, aka MFA) via your SSO and also require SSO authentication, the safest option is to still enforce 2FA for all GitHub users in your organization. Exemption groups and policy exceptions in your SSO provider can make SSO MFA easy to bypass.
4.  **Use SSH Keys for git operations.** While GitHub has introduced fine-grained permissions control with personal access tokens (PATs), they remain susceptible to phishing as these tokens are often copied around in plaintext. By using SSH keys for authentication for git operations, your organization can use thoughtful PKI to govern how SSH keys are provisioned, and can also tie this to your company's device management and your own certificate authority (CA).
5.  **Restrict repository member privileges using roles.** GitHub offers several different repository roles that can be assigned based on the principle of least privilege. Base permissions can be controlled at the organization level. Always take care to assign the least privileged role that a member needs to be productive. Don't make everyone an admin.
6.  **Don't allow outside collaborators.** Working with contractors is a normal part of managing large software projects. However, the governance surrounding outside collaborators in GitHub is insufficient to keep your organization secure. Instead, force outside collaborators to authenticate via your company SSO, and do not allow repository admins to invite them directly to your organization's repositories.
7.  **Audit, analyze, and audit again.** No organization is perfect; even with the best policies in place, accounts fall through the cracks and mistakes are made. Even before locking down your GitHub organization, take the time to implement a regular audit process to look for dormant accounts that are not using their access and to limit the number of privileged roles in your repositories. Once your environment is locked down, keep an eye out for policy violations, such as a user who is somehow still authenticating outside of your SSO or not using 2FA.

The breach of Okta's GitHub repository is a powerful example of just how hard it is to protect identities within enterprises, but it isn't a unique one. Every day we see what happens when employees and contractors experience account takeover. We see the effects of weak authentication, lax policies for personal email accounts, and the ever-expanding size of the identity attack surface.

Unfortunately, this latest incident is just one part of a growing trend of identity-related breaches to watch for in 2023.

Why Attackers Target GitHub, and How You Can Secure It

In rdiffweb prior to 2.5.5, lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection that could allow attacker to redirect victim to malicious websites.

**rdiffweb vulnerable to Special Element Injection**

Moderate severity GitHub Reviewed Published Dec 27, 2022 • Updated Dec 30, 2022

GHSA-83pm-7v48-5jp4: rdiffweb vulnerable to Special Element Injection

Authentication Bypass by Primary Weakness in GitHub repository ikus060/rdiffweb prior to 2.5.5.

@@ -15,74 +15,91 @@ \# You should have received a copy of the GNU General Public License \# along with this program. If not, see <http://www.gnu.org/licenses/>.  
import logging import sys  
import cherrypy from sqlalchemy import event from sqlalchemy.exc import IntegrityError  
from .\_repo import RepoObject \# noqa from .\_session import DbSession, SessionObject \# noqa from .\_sshkey import SshKey \# noqa from .\_token import Token \# noqa from .\_user import DuplicateSSHKeyError, UserObject \# noqa from .\_user import DuplicateSSHKeyError, UserObject, user\_username\_index \# noqa  
Base \= cherrypy.tools.db.get\_base()  
logger \= logging.getLogger(\_\_name\_\_)  
  
def \_column\_add(connection, column): if \_column\_exists(connection, column): return table\_name \= column.table.fullname column\_name \= column.name column\_type \= column.type.compile(connection.engine.dialect) connection.engine.execute('ALTER TABLE %s ADD COLUMN %s %s' % (table\_name, column\_name, column\_type))  
  
def \_column\_exists(connection, column): table\_name \= column.table.fullname column\_name \= column.name if 'SQLite' in connection.engine.dialect.\_\_class\_\_.\_\_name\_\_: sql \= "SELECT COUNT(\*) FROM pragma\_table\_info('%s') WHERE LOWER(name)=LOWER('%s')" % ( table\_name, column\_name, ) else: sql \= "SELECT COUNT(\*) FROM information\_schema.columns WHERE table\_name='%s' and column\_name='%s'" % ( table\_name, column\_name, ) data \= connection.engine.execute(sql).first() return data\[0\] \>= 1  
  
def \_index\_exists(connection, index\_name): if 'SQLite' in connection.engine.dialect.\_\_class\_\_.\_\_name\_\_: sql \= "SELECT name FROM sqlite\_master WHERE type = 'index' AND name = '%s';" % (index\_name) else: sql \= "SELECT \* FROM pg\_indexes WHERE indexname = '%s'" % (index\_name) return connection.engine.execute(sql).first() is not None  
  
@event.listens\_for(Base.metadata, 'after\_create') def db\_after\_create(target, connection, \*\*kw): """ Called on database creation to update database schema. """  
def exists(column): table\_name \= column.table.fullname column\_name \= column.name if 'SQLite' in connection.engine.dialect.\_\_class\_\_.\_\_name\_\_: sql \= "SELECT COUNT(\*) FROM pragma\_table\_info('%s') WHERE LOWER(name)=LOWER('%s')" % ( table\_name, column\_name, ) else: sql \= "SELECT COUNT(\*) FROM information\_schema.columns WHERE table\_name='%s' and column\_name='%s'" % ( table\_name, column\_name, ) data \= connection.engine.execute(sql).first() return data\[0\] \>= 1  
def add\_column(column): if exists(column): return table\_name \= column.table.fullname column\_name \= column.name column\_type \= column.type.compile(connection.engine.dialect) connection.engine.execute('ALTER TABLE %s ADD COLUMN %s %s' % (table\_name, column\_name, column\_type))  
if getattr(connection, '\_transaction', None): connection.\_transaction.commit()  
\# Add repo's Encoding add\_column(RepoObject.\_\_table\_\_.c.Encoding) add\_column(RepoObject.\_\_table\_\_.c.keepdays) \_column\_add(connection, RepoObject.\_\_table\_\_.c.Encoding) \_column\_add(connection, RepoObject.\_\_table\_\_.c.keepdays)  
\# Create column for roles using "isadmin" column. Keep the \# original column in case we need to revert to previous version. if not exists(UserObject.\_\_table\_\_.c.role): add\_column(UserObject.\_\_table\_\_.c.role) if not \_column\_exists(connection, UserObject.\_\_table\_\_.c.role): \_column\_add(connection, UserObject.\_\_table\_\_.c.role) UserObject.query.filter(UserObject.\_is\_admin \== 1).update({UserObject.role: UserObject.ADMIN\_ROLE})  
\# Add user's fullname column add\_column(UserObject.\_\_table\_\_.c.fullname) \_column\_add(connection, UserObject.\_\_table\_\_.c.fullname)  
\# Add user's mfa column add\_column(UserObject.\_\_table\_\_.c.mfa) \_column\_add(connection, UserObject.\_\_table\_\_.c.mfa)  
\# Re-create session table if Number column is missing if not exists(SessionObject.\_\_table\_\_.c.Number): if not \_column\_exists(connection, SessionObject.\_\_table\_\_.c.Number): SessionObject.\_\_table\_\_.drop() SessionObject.\_\_table\_\_.create()  
if getattr(connection, '\_transaction', None): connection.\_transaction.commit()  
\# Remove preceding and leading slash (/) generated by previous \# versions. Also rename '.' to '' result \= RepoObject.query.all() @@ -101,3 +118,22 @@ def add\_column(column): row.delete() else: prev\_repo \= (row.userid, row.repopath)  
\# Fix username case insensitive unique if not \_index\_exists(connection, 'user\_username\_index'): duplicate\_users \= ( UserObject.query.with\_entities(func.lower(UserObject.username)) .group\_by(func.lower(UserObject.username)) .having(func.count(UserObject.username) \> 1) ).all() try: user\_username\_index.create() except IntegrityError: msg \= ( 'Failure to upgrade your database to make Username case insensitive. ' 'You must downgrade and deleted duplicate Username. ' '%s' % '\\n'.join(\[str(k) for k in duplicate\_users\]), ) logger.error(msg) print(msg, file\=sys.stderr) raise SystemExit(12)

CVE-2022-4722: Make username case-insensitive · ikus060/rdiffweb@d1aaa96

Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.5.

@@ -45,6 +45,7 @@ def start(self): self.bus.log('Start Notification plugin') self.bus.publish('schedule\_job', self.execution\_time, self.notification\_job) self.bus.subscribe('access\_token\_added', self.access\_token\_added) self.bus.subscribe('authorizedkey\_added', self.authorizedkey\_added) self.bus.subscribe('user\_attr\_changed', self.user\_attr\_changed) self.bus.subscribe('user\_password\_changed', self.user\_password\_changed)  
@@ -54,6 +55,7 @@ def stop(self): self.bus.log('Stop Notification plugin') self.bus.publish('unschedule\_job', self.notification\_job) self.bus.unsubscribe('access\_token\_added', self.access\_token\_added) self.bus.unsubscribe('authorizedkey\_added', self.authorizedkey\_added) self.bus.unsubscribe('user\_attr\_changed', self.user\_attr\_changed) self.bus.unsubscribe('user\_password\_changed', self.user\_password\_changed)  
@@ -77,6 +79,21 @@ def access\_token\_added(self, userobj, name): ) self.bus.publish('queue\_mail', to\=userobj.email, subject\=\_("A new access token has been created"), message\=body)  
def authorizedkey\_added(self, userobj, fingerprint, comment, \*\*kwargs): if not self.send\_changed: return  
if not userobj.email: logger.info("can't sent mail to user \[%s\] without an email", userobj.username) return  
\# If the email attributes was changed, send a mail notification. body \= self.app.templates.compile\_template( "email\_authorizedkey\_added.html", \*\*{"header\_name": self.app.cfg.header\_name, 'user': userobj, 'comment': comment, 'fingerprint': fingerprint} ) self.bus.publish('queue\_mail', to\=userobj.email, subject\=\_("A new SSH Key has been added"), message\=body)  
def user\_attr\_changed(self, userobj, attrs\={}): if not self.send\_changed: return

CVE-2022-4719: Send notification on new SSH Key · ikus060/rdiffweb@bc4bed8

Improper Access Control in GitHub repository ikus060/rdiffweb prior to 2.5.5.

@@ -325,15 +325,47 @@ def test\_add\_authorizedkey\_without\_file(self):

def test\_add\_authorizedkey\_duplicate(self):

\# Read the pub key

key \= self.\_read\_ssh\_key()

\# Add the key to the user

\# Given a user with a SSH Key

userobj \= UserObject.get\_user(self.USERNAME)

userobj.add\_authorizedkey(key)

userobj.commit()

\# Add the same key

  

\# When adding the same identical key.

\# Then an error is raised

with self.assertRaises(DuplicateSSHKeyError):

userobj.add\_authorizedkey(key)

userobj.commit()

  

def test\_add\_authorizedkey\_duplicate\_new\_comment(self):

\# Read the pub key

key \= self.\_read\_ssh\_key()

\# Given a user with a SSH Key

userobj \= UserObject.get\_user(self.USERNAME)

userobj.add\_authorizedkey(key)

userobj.commit()

  

\# When adding the same key with a different comment

\# Then an error is raised

with self.assertRaises(DuplicateSSHKeyError):

userobj.add\_authorizedkey(key, comment\="new comment")

userobj.commit()

  

def test\_add\_authorizedkey\_duplicate\_new\_user(self):

\# Read the pub key

key \= self.\_read\_ssh\_key()

\# Given a user with a SSH Key

userobj \= UserObject.get\_user(self.USERNAME)

userobj.add\_authorizedkey(key)

userobj.commit()

  

\# When adding the same key to a different user

\# Then an error is raised

newuser \= UserObject.add\_user("newuser")

newuser.commit()

with self.assertRaises(DuplicateSSHKeyError):

newuser.add\_authorizedkey(key, comment\="new comment")

newuser.commit()

  

def test\_add\_authorizedkey\_with\_file(self):

"""

Add an ssh key for a user with an authorizedkey file.

CVE-2022-4724: Make sure that all ssh keys are unique, regardless of the user · ikus060/rdiffweb@c4a19cf

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository ikus060/rdiffweb prior to 2.5.5.

**Description**

Lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection that could allow attacker to redirect victim to malicious websites

**Proof of Concept**

    1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys 
    2) Add SSH key
    3) Enter the name evil.com 
    4) Due to lack of sanitisation , this might cause a hyperlink injection attack once email is triggered successfully on adding SSH key
    
    
    
    
    # Impact
    
    This issue allows an attacker to redirect victim to malicious website and cause a phishing attack

Tag

#ssh