Bug 1213775 (CVE-2015-3146)

Summary: CVE-2015-3146 libssh: null pointer dereference due to a logical error in the handling of a SSH_MSG_NEWKEYS and KEXDH_REPLY packets
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asn, carnil, fweimer, jrusnack, security-response-team, stefw
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libssh 0.6.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-28 10:54:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1214622, 1218076, 1218077    
Bug Blocks: 1213779    
Attachments:
Description Flags
Suggested patch none

Description Vasyl Kaigorodov 2015-04-21 09:24:38 UTC 
libssh versions 0.5.1 and above have a logical error in the handling of a
SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY package. A detected error did not set
the session into the error state correctly and further processed the packet
which leads to a null pointer dereference. This is the packet after the initial
key exchange and doesn't require authentication.

Both client and server are are vulnerable, pre-authentication and pre-crypto
and and can be explointed with a MITM attack. This could be used for a
Denial of Service (DoS) attack.

Acknowledgements:

Red Hat would like to thank the libssh team for reporting this issue. The libssh team acknowledges Mariusz Ziulek from the Open Web Application Security Project (OWASP) as the original reporter.
Comment 2 Vasyl Kaigorodov 2015-04-21 13:58:05 UTC 
Created attachment 1016896 [details]
Suggested patch
Comment 3 Stef Walter 2015-04-21 14:46:21 UTC 
The former patch applies to libssh 0.6.4 cleanly. The latter patch does not (perhaps against a different 0.6.x).

Brew build for RHEL 7: https://brewweb.devel.redhat.com/taskinfo?taskID=9017188
Comment 10 Andreas Schneider 2015-04-30 14:06:33 UTC 
libssh 0.6.5 has been released to address the issue!

https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/
Comment 11 Martin Prpič 2015-05-04 07:55:31 UTC 
External References:

https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/
Comment 12 Martin Prpič 2015-05-04 07:56:10 UTC 
Created libssh tracking bugs for this issue:

Affects: fedora-all [bug 1218076]
Affects: epel-all [bug 1218077]
Comment 13 Fedora Update System 2015-05-14 11:15:45 UTC 
libssh-0.6.5-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2015-05-21 05:12:27 UTC 
libssh-0.6.5-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2015-05-26 21:27:07 UTC 
libssh-0.5.5-4.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2015-07-14 15:28:48 UTC 
libssh-0.7.1-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.