April 20, 2015

I recently learned of a serious undocumented vulnerability in the ssh package. This is a minimal ssh server implementation used by darcsden to support darcs push/pull. If you use the ssh package, or you have darcsden’s darcsden-ssh server running, you should upgrade to/rebuild with the imminent ssh-0.3 release right away. Or if you know of someone like that, please let them know.

darcsden is of course the basis for Darcs Hub. Here’s the announcement I sent to users there a few days ago, with more details.

Hello darcs hub users,

This is Simon Michael, operator of hub.darcs.net, with the first all-darcs-hub-users announcement. You’re receiving this because you have an email address configured in your darcs hub user settings.

Thank you for using darcs hub, and for any feedback/bug reports/patches you may have sent. Usage is growing steadily, and I plan to blog more about it soon at joyful.com.

This email is to announce a recently patched security vulnerability in darcs hub’s SSH server.

Timeline:

3/21: a software developer reports that the haskell “ssh” library used by darcs hub does not check for a valid signature on the public key during authentication. This means it was possible to authenticate as any other ssh user if you knew their public key.

3/21-: I discuss the issue with a small number of core darcs developers and the ssh author.

3/25: A preliminary fix is deployed. We believe this closed the vulnerability.

4/6: A more comprehensive and tested fix is deployed.

4/15: This announcement is sent to current darcs hub users with valid email addresses (714 of 765 users).

4/20: Public disclosure via blog, haskell mail lists and the issue tracker (darcsden #130).

Impact and current status:

We believe the vulnerability is now fixed. But we are not cryptographers - I’m sure the new ssh maintainer would welcome any help from some of those.

We have no reason to believe anyone discovered or exploited the vulnerability. Also, it seems unlikely there’s anything hosted on darcs hub that would attract this kind of attention. darcs hub logs are not good enough to be certain, however. It’s possible I’ll find a way to be more certain by looking at file timestamps or something.

The weakness was present in darcs hub’s ssh server since it went live (and in darcsden.com before that). As mentioned, it was possible to authenticate via ssh as another user if you provided their public ssh key. With ssh access, it’s possible to create, delete, modify or replace any repository in that darcs hub account (but not possible to change user settings in the web app, or to access the system hosting darcshub).

The worst-case scenario we’ve imagined is that a motivated attacker could have authenticated as you and replaced your repo with one that looks just like it, but with patches altered or added, any time since you created the repo on darcs hub (or on darcsden.com, if you moved it from there).

So if you’re paranoid/careful you may want to check the integrity of your repos, eg by reviewing the repo history (“changes” button on the website, “darcs log [-s] [-v]” at the console). If you have more questions about this, you can contact me (simon@joyful.com) and if necessary Ganesh Sittampalam (ganesh@earth.li) privately.

Future plans:

Public announcement on 4/20

I’ll add a security section to the darcs hub FAQ

Ganesh has stepped up to be maintainer of the ssh package, and will make a new release soon

I’ll do a darcsden release not too long after that

We’ll need to figure out Darcs hub’s sustainability plan. As it grows and more of you rely on it, so does the need for a revenue stream to allow decent maintenance and oversight. This could be from funding, donations, charging for private repos or something else.

Also:

Some logistical things to be aware of:

this announcement has been sent via MailChimp, and as yet there’s no automatic integration between MailChimp and your settings on hub.darcs.net.

remember that darcs hub’s issue tracker is here, and that it does not yet send email notifications - to see replies to an issue, you must visit the issue page.

darcs hub’s password recovery emails may not always reach you - if you’re experiencing this, please contribute to #123.

Needless to say, I regret the vulnerability and am pleased to have it closed. Of course we are not alone, eg github had their own incident. Thank you very much to all who have been helping with this, especially the original reporter for letting us all know, and Ganesh for providing swift and high quality fixes.