Security fixes

CVE-2023-48795 - Terrapin Attack [12fdf62]

A flaw in the SSH protocol itself allows an active MitM attacker to prevent the client & server from negotiating OpenSSH security extensions, or, with AsyncSSH, take control of the user's session.

This release adds the support for the kex-strict-*[email protected] extensions designed by OpenSSH specifically to prevent this attack.

More info: https://terrapin-attack.com

Changes

• 21d6ab4: make HTTP session timeout and cookie age configurable in the config file (Nicolas SEYS) #922

Security fixes

CVE-2023-48712

:warning: Update ASAP.

This vulnerability allows a user to escalate their privileges if the admin account isn't protected by 2FA.

Migration

• If you have a proxy in front of Warpgate setting X-Forwarded-* headers, set http.trust_x_forwarded_for to true in the config file.

Changes

• b0a9130: Add support for trusting X-Forwarded-For header to get client IP (Skyler Mansfield) #921
• d9af747: Add better support for X-Forward-* headers when constructing external url (Skyler Mansfield) #921

Security fixes

CVE-2023-43660

The SSH key verification for a user could be bypassed by sending an SSH key offer without a signature. This allowed bypassing authentication completely under following conditions:

• The attacker knows the username and a valid target name
• The attacked knows the user's public key
• Only SSH public key authentication is required for the user account

Fixes

• dec0b97: Fix redirection with a relative location (Nicolas SEYS) #896

Changes

• 0bc9ae1: session details (IP & security key) are now shown during OOB auth to reduce the chance of phishing a user into approving an auth attempt #858
• 983d0ad: bumped russh

Fixes

• f0bc1db: fixed #358 - quotes in connection instructions on Windows #859
• 49b92cd: fixed #855 - log client IPs and credentials used #861
• aca8d3d: fixed #857 - fixed default ticket expiry when using MySQL as a database, bumped sea-orm #862

Changes

• Fixed Docker image build

Security fixes

CVE-2023-37268 [8173f65]

Insufficient authentication checks for SSO users allowed any SSO user to elevate their permission to these of any other SSO user. All configurations using SSO are affected.

Changes

• f13a22f: HTTP: fixed #747 - don't include port in the X-Forwarded-For header
• UI: added search boxes - #761
• 4fe4bfe: fixed login errors not being displayed properly
• b1995be: Admin: disallow completely disabling authentication for a protocol

Changes

• Docker: all protocols will be enabled by default when running warpgate setup
• Dependency updates (Cléo REBERT) #739

Security fixes

CVE-2023-28113 [6b3b49a]

A malicious client or target could negotiate insecure Diffie-Hellman key exchange parameters in way that leads to an insecure shared secret and breaks confidentiality of traffic (for their own connection only).

Commits

• 1ad08dc: fixed #496 - enabled support for all databases in Github builds
• 399f811: fixed RSA auth with signature algorithm mismatch

Changes

Minimum required glibc version on Linux is now 2.18

Fixes

• fffd799: fixed #406 - Apple ID SSO not working - ⚠️ note the config layout changes
• 9714570: SSH: fixed #477 - send ssh-rsa hostkey in addition to rsa-sha* - fixes Termius support on iOS
• SSH: correctly report channel open failures to client
• d90abcf: SSH: fixed missing CHANNEL_CLOSE messages - #459

Changes

• f967609: Added unattended setup command (warpgate unattended-setup) - fixes #409
• 7066dd5: Added password recovery command (warpgate recover-access) - fixes #410
• Added option to forward username to SSH targets as-is #445 (Alex Donec)
• Removed the 1 second auth delay on SSH - #459 (Eugene Pankov)
• c236da5: Added support for MySQL and PostgreSQL as database storage (database_url config option) - fixed #452

UI improvements

• 67866fe: added visual feedback to save buttons
• fd993c4: autofocus the OTP field - fixes #386
• 5bdddd3: allow cancelling authentication

Fixes

• fixed scp freezing up - #479 (Eugene Pankov)
• a8e21b3: fixed session recordings not getting cleaned up - fixes #310
• 512396f: fixed #406 - Apple ID URL redirect
• 6f39338: fixed #406 - construct correct SSO URLs behind a reverse proxy