Bug 1028686 - Memory corruption vulnerability in openssh 6.3
Memory corruption vulnerability in openssh 6.3
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
All Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Petr Lautrbach
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks: CVE-2013-4548
  Show dependency treegraph
Reported: 2013-11-09 10:10 EST by Orion Poplawski
Modified: 2013-11-09 13:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-11-09 13:11:52 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2013-11-09 10:10:30 EST
Description of problem:

OpenSSH Security Advisory: gcmrekey.adv

This document may be found at: http://www.openssh.com/txt/gcmrekey.adv

1. Vulnerability

        A memory corruption vulnerability exists in the post-
        authentication sshd process when an AES-GCM cipher
        (aes128-gcm@openssh.com or aes256-gcm@openssh.com) is
        selected during kex exchange.

        If exploited, this vulnerability might permit code execution
        with the privileges of the authenticated user and may
        therefore allow bypassing restricted shell/command

2. Affected configurations

        OpenSSH 6.2 and OpenSSH 6.3 when built against an OpenSSL
        that supports AES-GCM.

3. Mitigation

        Disable AES-GCM in the server configuration. The following
        sshd_config option will disable AES-GCM while leaving other
        ciphers active:

        Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc

4. Details

        When using AES-GCM, sshd was not initialising a Message
        Authentication Code (MAC) context that is unused when the
        cipher mode offers authentication itself. This context
        contains some callback pointers, including a cleanup callback
        that was still being invoked during a rekeying operation.
        As such, the address being called was derived from previous
        heap contents.

	This vulnerability is mitigated by the difficulty of
        pre-loading the heap with a useful callback address and by
        any platform address-space layout randomisation applied to
        sshd and the shared libraries it depends upon.

5. Credit

        This issue was identified by Markus Friedl (an OpenSSH
	developer) on November 7th, 2013.

6. Fix

        OpenSSH 6.4 contains a fix for this vulnerability. Users who
        prefer to continue to use OpenSSH 6.2 or 6.3 may apply this

Index: monitor_wrap.c
RCS file: /cvs/src/usr.bin/ssh/monitor_wrap.c,v
retrieving revision 1.76
diff -u -p -u -r1.76 monitor_wrap.c
--- monitor_wrap.c	17 May 2013 00:13:13 -0000	1.76
+++ monitor_wrap.c	6 Nov 2013 16:31:26 -0000
@@ -469,7 +469,7 @@ mm_newkeys_from_blob(u_char *blob, int b
 	buffer_append(&b, blob, blen);
-	newkey = xmalloc(sizeof(*newkey));
+	newkey = xcalloc(1, sizeof(*newkey));
 	enc = &newkey->enc;
 	mac = &newkey->mac;
 	comp = &newkey->comp;
Comment 1 Orion Poplawski 2013-11-09 10:21:22 EST
I guess only Fedora 19 is affected.
Comment 2 Tomas Hoger 2013-11-09 13:11:52 EST
Bug 1028418 comment 1.

Note You need to log in before you can comment on or make changes to this bug.