Two vulnerabilities affecting SSH were partially disclosed this morning. There are some details here:
It seems like:
- CVE-2016-0777: Worst case may be that when you SSH to a server, that server can read your private keys.
- CVE-2016-0778: Worst case may be that when you SSH to a server, that server can execute arbitrary code on your client.
The key material compromise is not hugely concerning for Phabricator. In general, it would allow an attacker to do this:
- Launch an evil server at evil.com.
- Configure Phabricator to connect to the server by adding it to Almanac/Drydock or configuring it as a remote repository.
- Read their own private keys.
Because they generally only get access to their own keys, this isn't a huge deal, although it would potentially allow them to read keys from credentials stored in Passphrase that they could use but could not normally access.
The client execution issue is concerning, but it seems unlikely that we are affected given that it seems to require elaborate preconditions to be exploitable.
There is no particularly special impact of either issue to Phacility, as opposed to installs in general.
Because the particulars are still a bit murky and CVE-2016-0777 potentially allows sideways privilege escalation under certain conditions which isn't otherwise possible, I plan to apply the "UseRoaming no" configuration fix to the Phacility cluster.
Recommendation: Third-party installs should evaluate and mitigate this issue. This issue is serious and likely merits a response in almost all environments, but Phabricator is not specially impacted by it in a meaningful way.