Bug 1158089 (CVE-2014-8132) - CVE-2014-8132 libssh: Possible double free on a dangling pointer with crafted kexinit packet
Summary: CVE-2014-8132 libssh: Possible double free on a dangling pointer with crafted...
Status: CLOSED CURRENTRELEASE
Alias: CVE-2014-8132
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20141219,repor...
Keywords: Security
Depends On: 1176145 1176146
Blocks: 1158092
TreeView+ depends on / blocked
 
Reported: 2014-10-28 14:30 UTC by Andreas Schneider
Modified: 2019-06-08 20:15 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-01-30 06:53:52 UTC


Attachments (Terms of Use)

Description Andreas Schneider 2014-10-28 14:30:36 UTC
Description of problem:

Maybe it is possible to send a malicious kexinit package to eventually cause a server to a double-free.

I guess this is only a DoS.

Source code:

http://git.libssh.org/projects/libssh.git/


Patch:

From f6b9f851b962e3a587f3f99b7cb97d130f0c77b9 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@jonsimons.org>
Date: Sat, 18 Oct 2014 23:23:26 -0700
Subject: [PATCH] kex: fixup error path in ssh_packet_kexinit

Before this change, dangling pointers can be unintentionally left in
the respective next_crypto kex methods slots.  Ensure to set all slots
to NULL in the error-out path.

Signed-off-by: Jon Simons <jon@jonsimons.org>
---
 src/kex.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/kex.c b/src/kex.c
index f1a1b56..ee00ec3 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -443,6 +443,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
 error:
     ssh_string_free(str);
     for (i = 0; i < SSH_KEX_METHODS; i++) {
+        if (server_kex) {
+            session->next_crypto->client_kex.methods[i] = NULL;
+        } else { /* client */
+            session->next_crypto->server_kex.methods[i] = NULL;
+        }
         SAFE_FREE(strings[i]);
     }
 
-- 
1.9.1

Comment 1 Andreas Schneider 2014-10-28 15:17:04 UTC
The patch was not complete:

From 3ec6790970973e52de30de46f24e4658c1f2e29b Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@jonsimons.org>
Date: Sat, 18 Oct 2014 23:23:26 -0700
Subject: [PATCH] kex: fixup error path in ssh_packet_kexinit

Before this change, dangling pointers can be unintentionally left in
the respective next_crypto kex methods slots.  Ensure to set all slots
to NULL in the error-out path.

Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/kex.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/kex.c b/src/kex.c
index f1a1b56..695929e 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -368,7 +368,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
     for (i = 0; i < KEX_METHODS_SIZE; i++) {
         str = buffer_get_ssh_string(packet);
         if (str == NULL) {
-          break;
+          goto error;
         }
 
         rc = buffer_add_ssh_string(session->in_hashbuf, str);
@@ -443,6 +443,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
 error:
     ssh_string_free(str);
     for (i = 0; i < SSH_KEX_METHODS; i++) {
+        if (server_kex) {
+            session->next_crypto->client_kex.methods[i] = NULL;
+        } else { /* client */
+            session->next_crypto->server_kex.methods[i] = NULL;
+        }
         SAFE_FREE(strings[i]);
     }
 
-- 
2.1.2

Comment 2 Andreas Schneider 2014-11-27 17:36:02 UTC
Ping!

Comment 3 Vincent Danen 2014-12-05 15:03:51 UTC
This has been assigned CVE-2014-8132 and the planned disclosure date is December 19th.

Comment 4 Vincent Danen 2014-12-19 14:42:51 UTC
This is fixed in libssh 0.6.4 and upstream describes it thus:

"""
This is an important SECURITY and maintenance release in order to address CVE-2014-8132 – Double free on dangling pointers in initial key exchange packet.
libssh versions 0.5.1 and above could leave dangling pointers in the session
crypto structures. It is possible to send a malicious kexinit package to
eventually cause a server to do a double-free before this fix.

This could be used for a Denial of Service attack.
"""


External References:

http://www.libssh.org/2014/12/19/libssh-0-6-4-security-and-bugfix-release/

Comment 5 Vincent Danen 2014-12-19 14:43:15 UTC
Created libssh tracking bugs for this issue:

Affects: fedora-all [bug 1176145]
Affects: epel-all [bug 1176146]

Comment 6 Fedora Update System 2015-01-03 18:59:10 UTC
libssh-0.6.4-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2015-01-03 19:11:07 UTC
libssh-0.6.4-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2015-01-03 19:12:42 UTC
libssh-0.6.4-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2015-01-06 02:05:35 UTC
libssh-0.6.4-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2015-01-06 02:09:28 UTC
libssh-0.5.5-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-01-06 02:09:35 UTC
libssh-0.5.5-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Andreas Schneider 2018-01-30 06:53:52 UTC
I think this can be closed as fixed.


Note You need to log in before you can comment on or make changes to this bug.