Bug 1028418 - (CVE-2013-4548) CVE-2013-4548 openssh: post-auth memory corruption when using AES-GCM cipher
CVE-2013-4548 openssh: post-auth memory corruption when using AES-GCM cipher
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131107,repor...
: Security
Depends On: 1028363 1028686 1028920 1029004
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-08 06:52 EST by Tomas Hoger
Modified: 2014-02-17 04:59 EST (History)
7 users (show)

See Also:
Fixed In Version: openssh 6.4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-08 08:59:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2013-11-08 06:52:22 EST
OpenSSH upstream has released version 6.4 which fixes a single security issue:

http://openssh.org/txt/release-6.4

 * sshd(8): fix a memory corruption problem triggered during rekeying
   when an AES-GCM cipher is selected. Full details of the vulnerability
   are available at: http://www.openssh.com/txt/gcmrekey.adv

Further details are available in the mentioned upstream advisory:

   A memory corruption vulnerability exists in the post-
   authentication sshd process when an AES-GCM cipher
   (aes128-gcm@openssh.com or aes256-gcm@openssh.com) is
   selected during kex exchange.

   If exploited, this vulnerability might permit code execution
   with the privileges of the authenticated user and may
   therefore allow bypassing restricted shell/command
   configurations.

   ...

   When using AES-GCM, sshd was not initialising a Message
   Authentication Code (MAC) context that is unused when the
   cipher mode offers authentication itself. This context
   contains some callback pointers, including a cleanup callback
   that was still being invoked during a rekeying operation.
   As such, the address being called was derived from previous
   heap contents.

   This vulnerability is mitigated by the difficulty of
   pre-loading the heap with a useful callback address and by
   any platform address-space layout randomisation applied to
   sshd and the shared libraries it depends upon.

This issue affects version 6.2 and 6.3.  OpenSSH 6.2 is the first version that introduced affected AES-GCM ciphers:

http://openssh.org/txt/release-6.2

 * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in
   SSH protocol 2. The new cipher is available as aes128-gcm@openssh.com
   and aes256-gcm@openssh.com. It uses an identical packet format to the
   AES-GCM mode specified in RFC 5647, but uses simpler and different
   selection rules during key exchange.

Upstream patch is part of the advisory, and can be found in upstream CVS repository:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor_wrap.c#rev1.77

External References:

http://www.openssh.com/txt/gcmrekey.adv
Comment 1 Tomas Hoger 2013-11-08 06:54:38 EST
Fedora openssh packages based on vulnerable upstream versions 6.2 and 6.3 are not affected, as they already contain the same change as part of the openssh-*-audit.patch:

http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.3p1-audit.patch?id=84822b5#n1483

The fix was introduced as part of this commit:

http://pkgs.fedoraproject.org/cgit/openssh.git/commit/?h=f19&id=014fe81
Comment 3 Petr Lautrbach 2013-11-08 08:44:55 EST
Prior openssh-6.2p1, one of the implemented MACs algorithms was always used together with an used cipher so newkeys->mac was always initialized using choose_mac(). Since openssh-6.2p1, a new AES-GCM encryptions are implemented and given that GCM mode provides data integrity itself, no MAC is used:

-               choose_mac (&newkeys->mac,  cprop[nmac],  sprop[nmac]);
+               authlen = cipher_authlen(newkeys->enc.cipher);
+               if (authlen == 0)
+                       choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]);


A new functionality in openssh-6.2p1-audit.patch added used MAC to audit messages and as a side effect fixed also this issue.
Comment 4 Tomas Hoger 2013-11-08 08:57:40 EST
(In reply to Petr Lautrbach from comment #3)
> -               choose_mac (&newkeys->mac,  cprop[nmac],  sprop[nmac]);
> +               authlen = cipher_authlen(newkeys->enc.cipher);
> +               if (authlen == 0)
> +                       choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]);

The above is part of this upstream commit:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c#rev1.88
Comment 5 Tomas Hoger 2013-11-08 08:59:02 EST
Statement:

Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for AES-GCM cipher suites.
Comment 6 Tomas Mraz 2013-11-11 08:20:07 EST
*** Bug 1029004 has been marked as a duplicate of this bug. ***
Comment 7 Tomas Hoger 2014-02-17 04:59:50 EST
HackerOne report:
https://hackerone.com/reports/500

Note You need to log in before you can comment on or make changes to this bug.