|Summary:||CVE-2016-10708 openssh: Out of sequence NEWKEYS message can allow remote attacker to cause denial of service|
|Product:||[Other] Security Response||Reporter:||Sam Fowler <sfowler>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED WONTFIX||QA Contact:|
|Version:||unspecified||CC:||brahma.gdb, carnil, dwalsh, jfch, jjelen, lkundrak, mattias.ellert, pebarbos, plautrba, slawomir, tmraz|
|Target Milestone:||---||Keywords:||Reopened, Security|
|Fixed In Version:||openssh 7.4||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|Last Closed:||2018-02-06 18:13:50 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:|
Description Sam Fowler 2018-01-24 06:26:23 UTC
sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10708 https://www.openssh.com/releasenotes.html http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html Upstream Patch: https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737
Comment 1 Jakub Jelen 2018-01-24 08:01:03 UTC
OpenSSH 7.4 is in RHEL7.4 so we should be safe here. But the release notes do not talk about this issue: http://www.openssh.com/txt/release-7.4 Are you sure it is denial of service by crashing the whole daemon, or is it just a per-connection process, that is crashing? Are we able to reproduce it?
Comment 2 Salvatore Bonaccorso 2018-01-27 07:40:32 UTC
Hi Jakub, Regarding the release notes: it is mentioned in the "Bugfixes" section: * sshd(8): fix NULL-deref crash if sshd(8) received an out-of- sequence NEWKEYS message. Your second question though is still open.
Comment 3 Pedro Yóssis Silva Barbosa 2018-02-01 19:42:27 UTC
RHEL-6 is affected, RHEL-7 is not. Although I did not make a reproducer, I made a simple test here (forcing crash in the vulnerable part, through patching the binary with bad opcodes) and could confirm that the DoS is just a per-connection process, not the whole daemon. Hence, WONTFIX.
Comment 7 Pedro Yóssis Silva Barbosa 2018-02-05 13:41:53 UTC
Note: Originally, this issue affected Red Hat Enterprise Linux 7 (version 7.3 and earlier). Due a rebase (RHSA-2017:2029-09), this issue was mitigated in Red Hat Enterprise Linux 7 and later versions.
Comment 9 Pedro Yóssis Silva Barbosa 2018-02-06 18:05:46 UTC
Statement: This issue affects the versions of openssh as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 (versions 7.3 and earlier). For Red Hat Enterprise Linux 7 (versions 7.4 and later), this issue was fixed by the Security Advisory RHSA-2017:2029. For Red Hat Enterprise Linux 6, Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 10 Pedro Yóssis Silva Barbosa 2018-02-06 18:10:37 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2029 https://access.redhat.com/errata/RHSA-2017:2029
Comment 11 Brahma 2019-05-15 15:15:35 UTC
Could you please share proposed testcase and reproduction for the same.