Bug 1213775 (CVE-2015-3146)
|Summary:||CVE-2015-3146 libssh: null pointer dereference due to a logical error in the handling of a SSH_MSG_NEWKEYS and KEXDH_REPLY packets|
|Product:||[Other] Security Response||Reporter:||Vasyl Kaigorodov <vkaigoro>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||asn, carnil, fweimer, jrusnack, security-response-team, stefw|
|Fixed In Version:||libssh 0.6.5||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2015-05-28 10:54:49 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1214622, 1218076, 1218077|
Description Vasyl Kaigorodov 2015-04-21 09:24:38 UTC
libssh versions 0.5.1 and above have a logical error in the handling of a SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY package. A detected error did not set the session into the error state correctly and further processed the packet which leads to a null pointer dereference. This is the packet after the initial key exchange and doesn't require authentication. Both client and server are are vulnerable, pre-authentication and pre-crypto and and can be explointed with a MITM attack. This could be used for a Denial of Service (DoS) attack. Acknowledgements: Red Hat would like to thank the libssh team for reporting this issue. The libssh team acknowledges Mariusz Ziulek from the Open Web Application Security Project (OWASP) as the original reporter.
Comment 2 Vasyl Kaigorodov 2015-04-21 13:58:05 UTC
Created attachment 1016896 [details] Suggested patch
Comment 3 Stef Walter 2015-04-21 14:46:21 UTC
The former patch applies to libssh 0.6.4 cleanly. The latter patch does not (perhaps against a different 0.6.x). Brew build for RHEL 7: https://brewweb.devel.redhat.com/taskinfo?taskID=9017188
Comment 10 Andreas Schneider 2015-04-30 14:06:33 UTC
libssh 0.6.5 has been released to address the issue! https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/
Comment 11 Martin Prpič 2015-05-04 07:55:31 UTC
External References: https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/
Comment 12 Martin Prpič 2015-05-04 07:56:10 UTC
Created libssh tracking bugs for this issue: Affects: fedora-all [bug 1218076] Affects: epel-all [bug 1218077]
Comment 13 Fedora Update System 2015-05-14 11:15:45 UTC
libssh-0.6.5-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2015-05-21 05:12:27 UTC
libssh-0.6.5-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2015-05-26 21:27:07 UTC
libssh-0.5.5-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2015-07-14 15:28:48 UTC
libssh-0.7.1-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.