Bug 1158089 (CVE-2014-8132)

Summary: CVE-2014-8132 libssh: Possible double free on a dangling pointer with crafted kexinit packet
Product: [Other] Security Response Reporter: Andreas Schneider <asn>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asn, carnil, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: impact=moderate,public=20141219,reported=20141028,source=redhat,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P,fedora-all/libssh=affected,epel-all/libssh=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-30 06:53:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1176145, 1176146    
Bug Blocks: 1158092    

Description Andreas Schneider 2014-10-28 14:30:36 UTC
Description of problem:

Maybe it is possible to send a malicious kexinit package to eventually cause a server to a double-free.

I guess this is only a DoS.

Source code:

http://git.libssh.org/projects/libssh.git/


Patch:

From f6b9f851b962e3a587f3f99b7cb97d130f0c77b9 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@jonsimons.org>
Date: Sat, 18 Oct 2014 23:23:26 -0700
Subject: [PATCH] kex: fixup error path in ssh_packet_kexinit

Before this change, dangling pointers can be unintentionally left in
the respective next_crypto kex methods slots.  Ensure to set all slots
to NULL in the error-out path.

Signed-off-by: Jon Simons <jon@jonsimons.org>
---
 src/kex.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/kex.c b/src/kex.c
index f1a1b56..ee00ec3 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -443,6 +443,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
 error:
     ssh_string_free(str);
     for (i = 0; i < SSH_KEX_METHODS; i++) {
+        if (server_kex) {
+            session->next_crypto->client_kex.methods[i] = NULL;
+        } else { /* client */
+            session->next_crypto->server_kex.methods[i] = NULL;
+        }
         SAFE_FREE(strings[i]);
     }
 
-- 
1.9.1

Comment 1 Andreas Schneider 2014-10-28 15:17:04 UTC
The patch was not complete:

From 3ec6790970973e52de30de46f24e4658c1f2e29b Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@jonsimons.org>
Date: Sat, 18 Oct 2014 23:23:26 -0700
Subject: [PATCH] kex: fixup error path in ssh_packet_kexinit

Before this change, dangling pointers can be unintentionally left in
the respective next_crypto kex methods slots.  Ensure to set all slots
to NULL in the error-out path.

Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/kex.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/kex.c b/src/kex.c
index f1a1b56..695929e 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -368,7 +368,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
     for (i = 0; i < KEX_METHODS_SIZE; i++) {
         str = buffer_get_ssh_string(packet);
         if (str == NULL) {
-          break;
+          goto error;
         }
 
         rc = buffer_add_ssh_string(session->in_hashbuf, str);
@@ -443,6 +443,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
 error:
     ssh_string_free(str);
     for (i = 0; i < SSH_KEX_METHODS; i++) {
+        if (server_kex) {
+            session->next_crypto->client_kex.methods[i] = NULL;
+        } else { /* client */
+            session->next_crypto->server_kex.methods[i] = NULL;
+        }
         SAFE_FREE(strings[i]);
     }
 
-- 
2.1.2

Comment 2 Andreas Schneider 2014-11-27 17:36:02 UTC
Ping!

Comment 3 Vincent Danen 2014-12-05 15:03:51 UTC
This has been assigned CVE-2014-8132 and the planned disclosure date is December 19th.

Comment 4 Vincent Danen 2014-12-19 14:42:51 UTC
This is fixed in libssh 0.6.4 and upstream describes it thus:

"""
This is an important SECURITY and maintenance release in order to address CVE-2014-8132 – Double free on dangling pointers in initial key exchange packet.
libssh versions 0.5.1 and above could leave dangling pointers in the session
crypto structures. It is possible to send a malicious kexinit package to
eventually cause a server to do a double-free before this fix.

This could be used for a Denial of Service attack.
"""


External References:

http://www.libssh.org/2014/12/19/libssh-0-6-4-security-and-bugfix-release/

Comment 5 Vincent Danen 2014-12-19 14:43:15 UTC
Created libssh tracking bugs for this issue:

Affects: fedora-all [bug 1176145]
Affects: epel-all [bug 1176146]

Comment 6 Fedora Update System 2015-01-03 18:59:10 UTC
libssh-0.6.4-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2015-01-03 19:11:07 UTC
libssh-0.6.4-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2015-01-03 19:12:42 UTC
libssh-0.6.4-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2015-01-06 02:05:35 UTC
libssh-0.6.4-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2015-01-06 02:09:28 UTC
libssh-0.5.5-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-01-06 02:09:35 UTC
libssh-0.5.5-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Andreas Schneider 2018-01-30 06:53:52 UTC
I think this can be closed as fixed.