Bug 1028418 (CVE-2013-4548)

Summary: CVE-2013-4548 openssh: post-auth memory corruption when using AES-GCM cipher
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: h.reindl, jkurik, mattias.ellert, mgrepl, pfrields, plautrba, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh 6.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-08 13:59:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1028363, 1028686, 1028920, 1029004    
Bug Blocks:    

Description Tomas Hoger 2013-11-08 11:52:22 UTC 
OpenSSH upstream has released version 6.4 which fixes a single security issue:

http://openssh.org/txt/release-6.4

 * sshd(8): fix a memory corruption problem triggered during rekeying
   when an AES-GCM cipher is selected. Full details of the vulnerability
   are available at: http://www.openssh.com/txt/gcmrekey.adv

Further details are available in the mentioned upstream advisory:

   A memory corruption vulnerability exists in the post-
   authentication sshd process when an AES-GCM cipher
   (aes128-gcm or aes256-gcm) is
   selected during kex exchange.

   If exploited, this vulnerability might permit code execution
   with the privileges of the authenticated user and may
   therefore allow bypassing restricted shell/command
   configurations.

   ...

   When using AES-GCM, sshd was not initialising a Message
   Authentication Code (MAC) context that is unused when the
   cipher mode offers authentication itself. This context
   contains some callback pointers, including a cleanup callback
   that was still being invoked during a rekeying operation.
   As such, the address being called was derived from previous
   heap contents.

   This vulnerability is mitigated by the difficulty of
   pre-loading the heap with a useful callback address and by
   any platform address-space layout randomisation applied to
   sshd and the shared libraries it depends upon.

This issue affects version 6.2 and 6.3.  OpenSSH 6.2 is the first version that introduced affected AES-GCM ciphers:

http://openssh.org/txt/release-6.2

 * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in
   SSH protocol 2. The new cipher is available as aes128-gcm
   and aes256-gcm. It uses an identical packet format to the
   AES-GCM mode specified in RFC 5647, but uses simpler and different
   selection rules during key exchange.

Upstream patch is part of the advisory, and can be found in upstream CVS repository:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor_wrap.c#rev1.77

External References:

http://www.openssh.com/txt/gcmrekey.adv
Comment 1 Tomas Hoger 2013-11-08 11:54:38 UTC 
Fedora openssh packages based on vulnerable upstream versions 6.2 and 6.3 are not affected, as they already contain the same change as part of the openssh-*-audit.patch:

http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.3p1-audit.patch?id=84822b5#n1483

The fix was introduced as part of this commit:

http://pkgs.fedoraproject.org/cgit/openssh.git/commit/?h=f19&id=014fe81
Comment 3 Petr Lautrbach 2013-11-08 13:44:55 UTC 
Prior openssh-6.2p1, one of the implemented MACs algorithms was always used together with an used cipher so newkeys->mac was always initialized using choose_mac(). Since openssh-6.2p1, a new AES-GCM encryptions are implemented and given that GCM mode provides data integrity itself, no MAC is used:

-               choose_mac (&newkeys->mac,  cprop[nmac],  sprop[nmac]);
+               authlen = cipher_authlen(newkeys->enc.cipher);
+               if (authlen == 0)
+                       choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]);


A new functionality in openssh-6.2p1-audit.patch added used MAC to audit messages and as a side effect fixed also this issue.
Comment 4 Tomas Hoger 2013-11-08 13:57:40 UTC 
(In reply to Petr Lautrbach from comment #3)
> -               choose_mac (&newkeys->mac,  cprop[nmac],  sprop[nmac]);
> +               authlen = cipher_authlen(newkeys->enc.cipher);
> +               if (authlen == 0)
> +                       choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]);

The above is part of this upstream commit:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c#rev1.88
Comment 5 Tomas Hoger 2013-11-08 13:59:02 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for AES-GCM cipher suites.
Comment 6 Tomas Mraz 2013-11-11 13:20:07 UTC 
*** Bug 1029004 has been marked as a duplicate of this bug. ***
Comment 7 Tomas Hoger 2014-02-17 09:59:50 UTC 
HackerOne report:
https://hackerone.com/reports/500