Bug 908707 (CVE-2010-5107)

Summary: CVE-2010-5107 openssh: Prevent connection slot exhaustion attacks
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: btotty, dmcphers, jialiu, jrusnack, lmeyer, mattias.ellert, mgrepl, mmcgrath, mvanderw, Naoya_Ito, plautrba, ryo_tamura, tmraz, yaliu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20130206,reported=20130206,source=oss-security,cvss2=5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P,rhel-5/openssh=wontfix,rhel-6/openssh=affected,fedora-all/openssh=affected,cwe=CWE-400
Fixed In Version: openssh 6.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-25 04:10:34 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 908710, 1001879    
Bug Blocks: 908713, 974906    

Description Jan Lieskovsky 2013-02-07 06:07:46 EST
A denial of service flaw was found in the way default server configuration of OpenSSH, a open source implementation of SSH protocol versions 1 and 2, performed management of its connection slot. A remote attacker could use this flaw to cause connection slot exhaustion on the server.

References:
[1] http://seclists.org/oss-sec/2012/q1/1
[2] http://www.openwall.com/lists/oss-security/2013/02/06/5
[3] http://www.openwall.com/lists/oss-security/2013/02/07/3

Relevant upstream patches:
[4] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
[5] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
[6] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
Comment 1 Jan Lieskovsky 2013-02-07 06:09:44 EST
Public reproducer to demonstrate this issue was posted to the oss-security list:

http://www.openwall.com/lists/oss-security/2013/02/06/5
http://thread.gmane.org/gmane.comp.security.oss.general/9320
Comment 2 Jan Lieskovsky 2013-02-07 06:10:43 EST
This issue affects the versions of the openssh package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the openssh package, as shipped with Fedora release of 16, 17, and 18. Please schedule an update.
Comment 3 Jan Lieskovsky 2013-02-07 06:11:24 EST
Created openssh tracking bugs for this issue

Affects: fedora-all [bug 908710]
Comment 5 Fedora Update System 2013-02-12 23:33:04 EST
openssh-6.1p1-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-02-25 21:47:04 EST
openssh-5.9p1-29.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Huzaifa S. Sidhpurwala 2013-03-20 01:25:46 EDT
This flaw was addressed upstream by enabling 'random early drop' by default, via the sshd_config file. The default value of 'MaxStartups' is now changed from 10 to 10:30:100

sshd_config man page describes this as follows:

'Alternatively, random early drop can be enabled by specifying the three colon separated values “start:rate:full” (e.g."10:30:60").  sshd(8) will refuse connection attempts with a probability of “rate/100” (30%) if there are currently “start” (10) unauthenticated connections.  The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches “full” (60).'

This flaw can be mitigated in the versions of OpenSSH shipped with Red Hat Enterprise Linux 5 and 6, by setting the value of 'MaxStartups' as described above. (Values should be changed as per requirement)
Comment 8 Huzaifa S. Sidhpurwala 2013-03-20 01:28:36 EDT
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 10 Tomas Hoger 2013-10-25 17:27:12 EDT
New default for MaxStartups is used in upstream OpenSSH starting with version 6.2.
Comment 11 errata-xmlrpc 2013-11-21 04:45:32 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1591 https://rhn.redhat.com/errata/RHSA-2013-1591.html
Comment 12 errata-xmlrpc 2013-11-21 19:36:18 EST
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2013:1527 https://rhn.redhat.com/errata/RHSA-2013-1527.html