Bug 1767966 (CVE-2019-16905)

Summary: CVE-2019-16905 openssh: an integer overflow in the private key parsing code for the XMSS key type
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bdettelb, dwalsh, jfch, jjelen, jschorr, lkundrak, mattias.ellert, plautrba, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh 8.1, openssh 8.1p1 Doc Type: If docs needed, set a value
Doc Text:
A Denial of service flaw was found in the way OpenSSH parsed certain specially crafted XMSS (eXtended Merkle Signature Scheme) private keys. Any OpenSSH functionality which parses private keys is vulnerable, for example: 1. If ‘sshd’ daemon is configured to use an XMSS host key that is malformed, it will crash upon any attempt to connect to this server. 2. If 'authorized_keys' is configured to use an XMSS public key, and the private key is used to connect to the server, the ssh client used for the connection will crash. 3. Adding a crafted XMSS key to ssh-agent, will cause the ssh-agent to crash. 4. Hosting services which allow users to upload keys may be affected. Malicious keys will cause the flaw to be triggered when the key is parsed. (Note: upload alone is not enough, the key needs to be parsed to cause the crash)
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-04 09:47:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1767967, 1767968    
Bug Blocks: 1767969    

Description Guilherme de Almeida Suckevicz 2019-11-01 18:26:20 UTC 
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.

References:
https://ssd-disclosure.com/archives/4033/ssd-advisory-openssh-pre-auth-xmss-integer-overflow
https://www.openssh.com/releasenotes.html
Comment 1 Guilherme de Almeida Suckevicz 2019-11-01 18:26:38 UTC 
Created openssh tracking bugs for this issue:

Affects: fedora-29 [bug 1767967]
Affects: fedora-30 [bug 1767968]
Comment 2 Huzaifa S. Sidhpurwala 2019-11-04 06:12:44 UTC 
External References:

https://www.openssh.com/txt/release-8.1
https://ssd-disclosure.com/archives/4033/ssd-advisory-openssh-pre-auth-xmss-integer-overflow
Comment 3 Huzaifa S. Sidhpurwala 2019-11-04 06:16:46 UTC 
Mitigation:

This flaw is triggered when parsing XMSS private keys. XMSS is a PQC (Post-quantum cryptography) algorithm and its use is currently experimental. Other key types or any other OpenSSH functionality are not affected by this flaw. A possible mitigation for this flaw is to NOT use XMSS keys for SSH.
Comment 4 Huzaifa S. Sidhpurwala 2019-11-04 06:26:38 UTC 
Upstream patch: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c.diff?r1=1.5&r2=1.6
Comment 5 Jakub Jelen 2019-11-04 08:23:34 UTC 
The OpenSSH in Fedora and RHEL is built without the XMSS support so I will close these as a not a bug.
Comment 6 Huzaifa S. Sidhpurwala 2019-11-04 09:00:51 UTC 
Statement:

The versions of OpenSSH package shipped with Red Hat products, do not enable support for XMSS and therefore are not affected by this flaw.