Bug 823943 (CVE-2012-2385)

Summary: CVE-2012-2385 mosh: DoS (excessive CPU use) by processing short ANSI escape sequence
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: achernya, keithw
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120515,reported=20120522,source=debian,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P,fedora-all/mosh=affected,epel-all/mosh=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-29 04:03:34 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 823950, 832351    
Bug Blocks:    

Comment 1 Jan Lieskovsky 2012-05-22 09:55:06 EDT
CVE Request:
[4] http://www.openwall.com/lists/oss-security/2012/05/22/6
Comment 2 Jan Lieskovsky 2012-05-22 09:55:51 EDT
This issue affects the versions of the mosh package, as shipped with Fedora release of 15 and 16. Please schedule an update.
Comment 3 Jan Lieskovsky 2012-05-22 09:57:05 EDT
Created mosh tracking bugs for this issue

Affects: fedora-all [bug 823950]
Comment 4 Kurt Seifried 2012-05-22 13:40:41 EDT
Added CVE as per http://www.openwall.com/lists/oss-security/2012/05/22/9
Comment 5 Keith Winstein 2012-05-23 04:34:54 EDT
This bug relates to inefficient processing of some ANSI escape sequences by the Mosh terminal emulator.

An application or mosh-server can send a large value as the "repeat count" of an ANSI escape sequence, causing the mosh-server or mosh-client to spend a lot of CPU time interpreting a short ANSI escape sequence.

Because these applications are already trusted, this is not a security vulnerability per se. For example, the application is also able to shut off the user's keyboard with an ANSI escape sequence -- also not a security vulnerability. Because ANSI escape sequences can do arbitrary things to the user's terminal, programs that allow untrusted user-to-user communication (including write(1), wall(1), and e-mail and newsgroup readers) need to filter these out.

Mosh 1.2.1 will contain code to avoid spending all this CPU time by ignoring nonsensical repeat counts. But in general, any terminal emulator must trust the application, since the application decides what should be on the screen. If it wants to fill the screen with garbage or send a lot of beeps or turn off the user's keyboard, most terminal emulators will do what the applicaiton asks. These are matters of discretion and are not security vulnerabilities. (Similarly, the mosh-client must trust the mosh-server to decide what is on the screen and whether to accept user input.)

We have suggested this text as the issue description:

===
Mosh versions 1.2 and earlier allow an application to cause the mosh-server to consume large amounts of CPU time with a short ANSI escape sequence. In addition, a malicious mosh-server can cause the mosh-client to consume large amounts of CPU time with a short ANSI escape sequence. This arises because there was no limit on the value of the "repeat" parameter in some ANSI escape sequences, so even large and nonsensical values would be interpreted by Mosh's terminal emulator.
===

This gets away from the suggestion that the problem relates to "improper parsing" or the "count of parameters" (it's about wanting a limit on the _value_ of parameters so the terminal emulator doesn't do huge amounts of work to execute a very short sequence), or to data coming from "a remote attacker."

Thank you,
Keith Winstein
Mosh project
Comment 6 Stefan Cornelius 2012-06-15 04:40:21 EDT
Created mosh tracking bugs for this issue

Affects: epel-all [bug 832351]
Comment 7 Fedora Update System 2012-06-25 20:44:42 EDT
mosh-1.2.2-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-06-25 20:51:09 EDT
mosh-1.2.2-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-06-25 20:57:33 EDT
mosh-1.2.2-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2012-07-03 15:34:51 EDT
mosh-1.2.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-07-07 15:29:02 EDT
mosh-1.2.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.