Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2010-5107 openssh: Prevent connection slot exhaustion attacks|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||btotty, dmcphers, jialiu, jrusnack, lmeyer, mattias.ellert, mgrepl, mmcgrath, mvanderw, Naoya_Ito, plautrba, ryo_tamura, tmraz, yaliu|
|Fixed In Version:||openssh 6.2||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2015-02-25 04:10:34 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||908710, 1001879|
|Bug Blocks:||908713, 974906|
Description Jan Lieskovsky 2013-02-07 06:07:46 EST
A denial of service flaw was found in the way default server configuration of OpenSSH, a open source implementation of SSH protocol versions 1 and 2, performed management of its connection slot. A remote attacker could use this flaw to cause connection slot exhaustion on the server. References:  http://seclists.org/oss-sec/2012/q1/1  http://www.openwall.com/lists/oss-security/2013/02/06/5  http://www.openwall.com/lists/oss-security/2013/02/07/3 Relevant upstream patches:  http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234  http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156  http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
Comment 1 Jan Lieskovsky 2013-02-07 06:09:44 EST
Public reproducer to demonstrate this issue was posted to the oss-security list: http://www.openwall.com/lists/oss-security/2013/02/06/5 http://thread.gmane.org/gmane.comp.security.oss.general/9320
Comment 2 Jan Lieskovsky 2013-02-07 06:10:43 EST
This issue affects the versions of the openssh package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the openssh package, as shipped with Fedora release of 16, 17, and 18. Please schedule an update.
Comment 3 Jan Lieskovsky 2013-02-07 06:11:24 EST
Created openssh tracking bugs for this issue Affects: fedora-all [bug 908710]
Comment 5 Fedora Update System 2013-02-12 23:33:04 EST
openssh-6.1p1-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-02-25 21:47:04 EST
openssh-5.9p1-29.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Huzaifa S. Sidhpurwala 2013-03-20 01:25:46 EDT
This flaw was addressed upstream by enabling 'random early drop' by default, via the sshd_config file. The default value of 'MaxStartups' is now changed from 10 to 10:30:100 sshd_config man page describes this as follows: 'Alternatively, random early drop can be enabled by specifying the three colon separated values “start:rate:full” (e.g."10:30:60"). sshd(8) will refuse connection attempts with a probability of “rate/100” (30%) if there are currently “start” (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches “full” (60).' This flaw can be mitigated in the versions of OpenSSH shipped with Red Hat Enterprise Linux 5 and 6, by setting the value of 'MaxStartups' as described above. (Values should be changed as per requirement)
Comment 8 Huzaifa S. Sidhpurwala 2013-03-20 01:28:36 EDT
Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 10 Tomas Hoger 2013-10-25 17:27:12 EDT
New default for MaxStartups is used in upstream OpenSSH starting with version 6.2.
Comment 11 errata-xmlrpc 2013-11-21 04:45:32 EST
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1591 https://rhn.redhat.com/errata/RHSA-2013-1591.html