Bug 1238238 - openssh: weakness of agent locking (ssh-add -x) to password guessing
Summary: openssh: weakness of agent locking (ssh-add -x) to password guessing
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1238241 1247864 1281468
Blocks: 1252864
TreeView+ depends on / blocked
 
Reported: 2015-07-01 12:55 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:10 UTC (History)
9 users (show)

Fixed In Version: OpenSSH 6.9
Clone Of:
Environment:
Last Closed: 2016-05-11 08:09:54 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2088 0 normal SHIPPED_LIVE Moderate: openssh security, bug fix, and enhancement update 2015-11-19 08:38:51 UTC

Description Vasyl Kaigorodov 2015-07-01 12:55:56 UTC
OpenSSH version 6.9 fix weakness of agent locking (ssh-add -x) to password guessing by implementing an increasing failure delay, storing a salted hash of the password rather than the password itself and using a timing-safe comparison function for verifying unlock attempts. This problem was reported by Ryan Castellucci.
Upstream patch: https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=9173d0fbe44de7ebcad8a15618e13a8b8d78902e

External References:

http://www.openssh.com/txt/release-6.9

Comment 1 Vasyl Kaigorodov 2015-07-01 12:59:26 UTC
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1238241]

Comment 2 Martin Prpič 2015-07-02 12:20:57 UTC
Per http://openwall.com/lists/oss-security/2015/07/01/10 , MITRE did not assign a CVE to this issue:

"Our current thought is that a CVE ID may not be needed because attacks against ssh-agent locking don't cross a privilege boundary. In other words, the changelog entry could be interpreted to mean addition of a new security feature related to a threat model that wasn't in the previous design goals (e.g., password guessing by malware running under the same account)."

Comment 3 Fedora Update System 2015-07-10 19:09:15 UTC
openssh-6.6.1p1-13.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2015-07-10 19:18:17 UTC
openssh-6.9p1-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 errata-xmlrpc 2015-11-19 08:03:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2088 https://rhn.redhat.com/errata/RHSA-2015-2088.html


Note You need to log in before you can comment on or make changes to this bug.