Bug 1028686 - Memory corruption vulnerability in openssh 6.3
Summary: Memory corruption vulnerability in openssh 6.3
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 19
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact: Fedora Extras Quality Assurance
URL: http://www.openssh.com/txt/gcmrekey.adv
Whiteboard:
Depends On:
Blocks: CVE-2013-4548
TreeView+ depends on / blocked
 
Reported: 2013-11-09 15:10 UTC by Orion Poplawski
Modified: 2013-11-09 18:12 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-11-09 18:11:52 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Orion Poplawski 2013-11-09 15:10:30 UTC 
Description of problem:

OpenSSH Security Advisory: gcmrekey.adv

This document may be found at: http://www.openssh.com/txt/gcmrekey.adv

1. Vulnerability

        A memory corruption vulnerability exists in the post-
        authentication sshd process when an AES-GCM cipher
        (aes128-gcm or aes256-gcm) is
        selected during kex exchange.

        If exploited, this vulnerability might permit code execution
        with the privileges of the authenticated user and may
        therefore allow bypassing restricted shell/command
        configurations.

2. Affected configurations

        OpenSSH 6.2 and OpenSSH 6.3 when built against an OpenSSL
        that supports AES-GCM.

3. Mitigation

        Disable AES-GCM in the server configuration. The following
        sshd_config option will disable AES-GCM while leaving other
        ciphers active:

        Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc

4. Details

        When using AES-GCM, sshd was not initialising a Message
        Authentication Code (MAC) context that is unused when the
        cipher mode offers authentication itself. This context
        contains some callback pointers, including a cleanup callback
        that was still being invoked during a rekeying operation.
        As such, the address being called was derived from previous
        heap contents.

	This vulnerability is mitigated by the difficulty of
        pre-loading the heap with a useful callback address and by
        any platform address-space layout randomisation applied to
        sshd and the shared libraries it depends upon.

5. Credit

        This issue was identified by Markus Friedl (an OpenSSH
	developer) on November 7th, 2013.

6. Fix

        OpenSSH 6.4 contains a fix for this vulnerability. Users who
        prefer to continue to use OpenSSH 6.2 or 6.3 may apply this
        patch:

Index: monitor_wrap.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/monitor_wrap.c,v
retrieving revision 1.76
diff -u -p -u -r1.76 monitor_wrap.c
--- monitor_wrap.c	17 May 2013 00:13:13 -0000	1.76
+++ monitor_wrap.c	6 Nov 2013 16:31:26 -0000
@@ -469,7 +469,7 @@ mm_newkeys_from_blob(u_char *blob, int b
 	buffer_init(&b);
 	buffer_append(&b, blob, blen);
 
-	newkey = xmalloc(sizeof(*newkey));
+	newkey = xcalloc(1, sizeof(*newkey));
 	enc = &newkey->enc;
 	mac = &newkey->mac;
 	comp = &newkey->comp;
Comment 1 Orion Poplawski 2013-11-09 15:21:22 UTC 
I guess only Fedora 19 is affected.
Comment 2 Tomas Hoger 2013-11-09 18:11:52 UTC 
Bug 1028418 comment 1.
Note You need to log in before you can comment on or make changes to this bug.