Red Hat Bugzilla – Bug 1028686
Memory corruption vulnerability in openssh 6.3
Last modified: 2013-11-09 13:12:32 EST
Description of problem:
OpenSSH Security Advisory: gcmrekey.adv
This document may be found at: http://www.openssh.com/txt/gcmrekey.adv
A memory corruption vulnerability exists in the post-
authentication sshd process when an AES-GCM cipher
(email@example.com or firstname.lastname@example.org) is
selected during kex exchange.
If exploited, this vulnerability might permit code execution
with the privileges of the authenticated user and may
therefore allow bypassing restricted shell/command
2. Affected configurations
OpenSSH 6.2 and OpenSSH 6.3 when built against an OpenSSL
that supports AES-GCM.
Disable AES-GCM in the server configuration. The following
sshd_config option will disable AES-GCM while leaving other
When using AES-GCM, sshd was not initialising a Message
Authentication Code (MAC) context that is unused when the
cipher mode offers authentication itself. This context
contains some callback pointers, including a cleanup callback
that was still being invoked during a rekeying operation.
As such, the address being called was derived from previous
This vulnerability is mitigated by the difficulty of
pre-loading the heap with a useful callback address and by
any platform address-space layout randomisation applied to
sshd and the shared libraries it depends upon.
This issue was identified by Markus Friedl (an OpenSSH
developer) on November 7th, 2013.
OpenSSH 6.4 contains a fix for this vulnerability. Users who
prefer to continue to use OpenSSH 6.2 or 6.3 may apply this
RCS file: /cvs/src/usr.bin/ssh/monitor_wrap.c,v
retrieving revision 1.76
diff -u -p -u -r1.76 monitor_wrap.c
--- monitor_wrap.c 17 May 2013 00:13:13 -0000 1.76
+++ monitor_wrap.c 6 Nov 2013 16:31:26 -0000
@@ -469,7 +469,7 @@ mm_newkeys_from_blob(u_char *blob, int b
buffer_append(&b, blob, blen);
- newkey = xmalloc(sizeof(*newkey));
+ newkey = xcalloc(1, sizeof(*newkey));
enc = &newkey->enc;
mac = &newkey->mac;
comp = &newkey->comp;
I guess only Fedora 19 is affected.
Bug 1028418 comment 1.