Bug 1406293 (CVE-2016-10012)
| Summary: | CVE-2016-10012 openssh: Bounds check can be evaded in the shared memory manager used by pre-authentication compression support | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | unspecified | CC: | ddmitrie, gsuckevi, ispcolohost, jjelen, mattias.ellert, plautrba, sardella, slawomir, yozone | ||||
| Target Milestone: | --- | Keywords: | Reopened, Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | openssh 7.4 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: |
It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2021-10-27 10:51:54 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1406296, 1794492 | ||||||
| Bug Blocks: | 1406299, 1415638 | ||||||
| Attachments: |
|
||||||
|
Description
Andrej Nemec
2016-12-20 08:35:20 UTC
Upstream patches: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.165&r2=1.166 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.h.diff?r1=1.19&r2=1.20 Created openssh tracking bugs for this issue: Affects: fedora-all [bug 1406296] Just FYI, PCI QSA's are treating this issue as grounds for certification failure, so many have begun failing companies during the quarterly or annual scans when the version of OpenSSH included in RHEL 7 and older does not have a patch for this. (In reply to Shabba from comment #5) > Just FYI, PCI QSA's are treating this issue as grounds for certification > failure, so many have begun failing companies during the quarterly or annual > scans when the version of OpenSSH included in RHEL 7 and older does not have > a patch for this. Thank you for your information. This bugzilla is not completely correct and we should fix it. Please, open a ticket with customer support to get up-to-date information about this issue and when it is going to be fixed. https://access.redhat.com/support/ Created attachment 1306453 [details] removes pre-auth compression, resolves CVE-2016-10012 this patch * removes pre-auth compression * resolves CVE-2016-10012 * compatible with openssh rpm version 6.6.1.p1-35.el7 (meaning it can be included into rpm spec) This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2029 https://access.redhat.com/errata/RHSA-2017:2029 Statement: In order to exploit this flaw, the attacker needs to first compromise the sandboxed privilege-separation process by using another security flaw. Because of this restriction for successful exploitation, this issue has been rated as having Low security impact. |