Red Hat Bugzilla – Bug 1028418
CVE-2013-4548 openssh: post-auth memory corruption when using AES-GCM cipher
Last modified: 2014-02-17 04:59:50 EST
OpenSSH upstream has released version 6.4 which fixes a single security issue:
* sshd(8): fix a memory corruption problem triggered during rekeying
when an AES-GCM cipher is selected. Full details of the vulnerability
are available at: http://www.openssh.com/txt/gcmrekey.adv
Further details are available in the mentioned upstream advisory:
A memory corruption vulnerability exists in the post-
authentication sshd process when an AES-GCM cipher
(email@example.com or firstname.lastname@example.org) is
selected during kex exchange.
If exploited, this vulnerability might permit code execution
with the privileges of the authenticated user and may
therefore allow bypassing restricted shell/command
When using AES-GCM, sshd was not initialising a Message
Authentication Code (MAC) context that is unused when the
cipher mode offers authentication itself. This context
contains some callback pointers, including a cleanup callback
that was still being invoked during a rekeying operation.
As such, the address being called was derived from previous
This vulnerability is mitigated by the difficulty of
pre-loading the heap with a useful callback address and by
any platform address-space layout randomisation applied to
sshd and the shared libraries it depends upon.
This issue affects version 6.2 and 6.3. OpenSSH 6.2 is the first version that introduced affected AES-GCM ciphers:
* ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in
SSH protocol 2. The new cipher is available as email@example.com
and firstname.lastname@example.org. It uses an identical packet format to the
AES-GCM mode specified in RFC 5647, but uses simpler and different
selection rules during key exchange.
Upstream patch is part of the advisory, and can be found in upstream CVS repository:
Fedora openssh packages based on vulnerable upstream versions 6.2 and 6.3 are not affected, as they already contain the same change as part of the openssh-*-audit.patch:
The fix was introduced as part of this commit:
Prior openssh-6.2p1, one of the implemented MACs algorithms was always used together with an used cipher so newkeys->mac was always initialized using choose_mac(). Since openssh-6.2p1, a new AES-GCM encryptions are implemented and given that GCM mode provides data integrity itself, no MAC is used:
- choose_mac (&newkeys->mac, cprop[nmac], sprop[nmac]);
+ authlen = cipher_authlen(newkeys->enc.cipher);
+ if (authlen == 0)
+ choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]);
A new functionality in openssh-6.2p1-audit.patch added used MAC to audit messages and as a side effect fixed also this issue.
(In reply to Petr Lautrbach from comment #3)
> - choose_mac (&newkeys->mac, cprop[nmac], sprop[nmac]);
> + authlen = cipher_authlen(newkeys->enc.cipher);
> + if (authlen == 0)
> + choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]);
The above is part of this upstream commit:
Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for AES-GCM cipher suites.
*** Bug 1029004 has been marked as a duplicate of this bug. ***