Bug 1305971 - (CVE-2016-0739) CVE-2016-0739 libssh: bits/bytes confusion resulting in truncated Difffie-Hellman secret length
CVE-2016-0739 libssh: bits/bytes confusion resulting in truncated Difffie-Hel...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160223,repor...
: Security
Depends On: 1311260 1310046 1310047 1311259 1311276 1311277
Blocks: 1305973
  Show dependency treegraph
 
Reported: 2016-02-09 12:23 EST by Kurt Seifried
Modified: 2016-04-20 06:04 EDT (History)
6 users (show)

See Also:
Fixed In Version: libssh 0.7.3
Doc Type: Bug Fix
Doc Text:
A type confusion issue was found in the way libssh generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-01 00:05:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
libssh-CVE-2016-0739.patch (1.99 KB, patch)
2016-02-09 12:34 EST, Kurt Seifried
no flags Details | Diff
CVE-2016-0739 advisory text (2.33 KB, text/plain)
2016-02-19 04:33 EST, Andreas Schneider
no flags Details
Patch (1.85 KB, patch)
2016-02-22 06:40 EST, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Kurt Seifried 2016-02-09 12:23:43 EST
Andreas Schneider of Red Hat reports:

Due to a byte/bit confusion, the DH secret was too short. This file was
completely reworked and will be commited in a future version.

This issue may be worked around by using other key exchange methods, such as
curve25519-sha256@libssh.org or ecdh-sha2-nistp256, both are not vulnerable.
By default, an unpatched libssh implementation will already attempt to use
these two more secure methods when supported by the other party.
Comment 1 Kurt Seifried 2016-02-09 12:34 EST
Created attachment 1122470 [details]
libssh-CVE-2016-0739.patch
Comment 2 Kurt Seifried 2016-02-09 12:35:26 EST
The embargo is currently set for Feb 23rd, 2016 14:00 CET.
Comment 3 Andreas Schneider 2016-02-19 04:33 EST
Created attachment 1128493 [details]
CVE-2016-0739 advisory text
Comment 8 Tomas Hoger 2016-02-22 06:40 EST
Created attachment 1129246 [details]
Patch

The same patch as attached in comment 1, but with correct white spaces / indent.
Comment 10 Stef Walter 2016-02-22 06:58:06 EST
Tomas, thanks. That patch applies well.
Comment 13 Stef Walter 2016-02-22 07:33:19 EST
I'm unsure how one would verify that the patch applied, but I see this in the build log:

+ echo 'Patch #1 (libssh-CVE-2016-0739.patch):'
Patch #1 (libssh-CVE-2016-0739.patch):
+ /usr/bin/cat /builddir/build/SOURCES/libssh-CVE-2016-0739.patch
+ /usr/bin/patch -p1 --fuzz=0
patching file src/dh.c

And I have checked that the patch file starts with:

From dc2eaa017fe77e53bd9f1d4327a480d9bfe6cc6a Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@0xbadc0de.be>
Date: Tue, 9 Feb 2016 15:09:27 +0100
Subject: [PATCH] dh: fix CVE-2016-0739

Due to a byte/bit confusion, the DH secret was too short. This file was
completely reworked and will be commited in a future version.
---
Comment 14 Andreas Schneider 2016-02-22 09:31:07 EST
The only way to verify this, is to build libssh with:

cmake -DWITH_DEBUG_CRYPTO=ON

Then do a rsa connection using the libssh example client ./examples/samplessh. It will print x (the random secret bignum) on the command line.
Comment 15 Tomas Hoger 2016-02-23 13:16:02 EST
Fixed upstream in version 0.7.3:

https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/
Comment 16 Tomas Hoger 2016-02-23 13:19:36 EST
Created libssh tracking bugs for this issue:

Affects: fedora-all [bug 1311259]
Affects: epel-all [bug 1311260]
Comment 17 Tomas Hoger 2016-02-23 13:21:54 EST
External Reference:

https://www.libssh.org/security/advisories/CVE-2016-0739.txt
Comment 19 Kurt Seifried 2016-02-23 14:38:49 EST
Created libssh tracking bugs for this issue:

Affects: fedora-all [bug 1311276]
Affects: epel-all [bug 1311277]
Comment 20 Martin Prpič 2016-02-24 05:00:54 EST
Acknowledgments:

Name: Aris Adamantiadis
Comment 21 errata-xmlrpc 2016-03-31 19:25:49 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2016:0566 https://rhn.redhat.com/errata/RHSA-2016-0566.html

Note You need to log in before you can comment on or make changes to this bug.