1305971 – (CVE-2016-0739) CVE-2016-0739 libssh: bits/bytes confusion resulting in truncated Difffie-Hellman secret length

Bug 1305971 (CVE-2016-0739) - CVE-2016-0739 libssh: bits/bytes confusion resulting in truncated Difffie-Hellman secret length

Summary: CVE-2016-0739 libssh: bits/bytes confusion resulting in truncated Difffie-Hel...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-0739
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1310046 1310047 1311259 1311260 1311276 1311277
Blocks:	1305973
TreeView+	depends on / blocked

Reported:	2016-02-09 17:23 UTC by Kurt Seifried
Modified:	2021-02-17 04:21 UTC (History)
CC List:	6 users (show)
Fixed In Version:	libssh 0.7.3
Doc Type:	Bug Fix
Doc Text:	A type confusion issue was found in the way libssh generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters.
Clone Of:
Environment:
Last Closed:	2016-04-01 04:05:07 UTC
Embargoed:

Attachments	(Terms of Use)
libssh-CVE-2016-0739.patch (1.99 KB, patch) 2016-02-09 17:34 UTC, Kurt Seifried	no flags	Details \| Diff
CVE-2016-0739 advisory text (2.33 KB, text/plain) 2016-02-19 09:33 UTC, Andreas Schneider	no flags	Details
Patch (1.85 KB, patch) 2016-02-22 11:40 UTC, Tomas Hoger	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:0566	0	normal	SHIPPED_LIVE	Moderate: libssh security update	2016-04-01 03:20:27 UTC

Description Kurt Seifried 2016-02-09 17:23:43 UTC

Andreas Schneider of Red Hat reports:

Due to a byte/bit confusion, the DH secret was too short. This file was
completely reworked and will be commited in a future version.

This issue may be worked around by using other key exchange methods, such as
curve25519-sha256 or ecdh-sha2-nistp256, both are not vulnerable.
By default, an unpatched libssh implementation will already attempt to use
these two more secure methods when supported by the other party.

Comment 1 Kurt Seifried 2016-02-09 17:34:37 UTC

Created attachment 1122470 [details]
libssh-CVE-2016-0739.patch

Comment 2 Kurt Seifried 2016-02-09 17:35:26 UTC

The embargo is currently set for Feb 23rd, 2016 14:00 CET.

Comment 3 Andreas Schneider 2016-02-19 09:33:49 UTC

Created attachment 1128493 [details]
CVE-2016-0739 advisory text

Comment 8 Tomas Hoger 2016-02-22 11:40:46 UTC

Created attachment 1129246 [details]
Patch

The same patch as attached in comment 1, but with correct white spaces / indent.

Comment 10 Stef Walter 2016-02-22 11:58:06 UTC

Tomas, thanks. That patch applies well.

Comment 13 Stef Walter 2016-02-22 12:33:19 UTC

I'm unsure how one would verify that the patch applied, but I see this in the build log:

+ echo 'Patch #1 (libssh-CVE-2016-0739.patch):'
Patch #1 (libssh-CVE-2016-0739.patch):
+ /usr/bin/cat /builddir/build/SOURCES/libssh-CVE-2016-0739.patch
+ /usr/bin/patch -p1 --fuzz=0
patching file src/dh.c

And I have checked that the patch file starts with:

From dc2eaa017fe77e53bd9f1d4327a480d9bfe6cc6a Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris>
Date: Tue, 9 Feb 2016 15:09:27 +0100
Subject: [PATCH] dh: fix CVE-2016-0739

Due to a byte/bit confusion, the DH secret was too short. This file was
completely reworked and will be commited in a future version.
---

Comment 14 Andreas Schneider 2016-02-22 14:31:07 UTC

The only way to verify this, is to build libssh with:

cmake -DWITH_DEBUG_CRYPTO=ON

Then do a rsa connection using the libssh example client ./examples/samplessh. It will print x (the random secret bignum) on the command line.

Comment 15 Tomas Hoger 2016-02-23 18:16:02 UTC

Fixed upstream in version 0.7.3:

https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/

Comment 16 Tomas Hoger 2016-02-23 18:19:36 UTC

Created libssh tracking bugs for this issue:

Affects: fedora-all [bug 1311259]
Affects: epel-all [bug 1311260]

Comment 17 Tomas Hoger 2016-02-23 18:21:54 UTC

External Reference:

https://www.libssh.org/security/advisories/CVE-2016-0739.txt

Comment 18 Tomas Hoger 2016-02-23 18:23:20 UTC

Upstream commit:

https://git.libssh.org/projects/libssh.git/commit/?id=4e6ff36a9a3aef72aa214f6fb267c28953b80060

Comment 19 Kurt Seifried 2016-02-23 19:38:49 UTC

Created libssh tracking bugs for this issue:

Affects: fedora-all [bug 1311276]
Affects: epel-all [bug 1311277]

Comment 20 Martin Prpič 2016-02-24 10:00:54 UTC

Acknowledgments:

Name: Aris Adamantiadis

Comment 21 errata-xmlrpc 2016-03-31 23:25:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2016:0566 https://rhn.redhat.com/errata/RHSA-2016-0566.html

Note You need to log in before you can comment on or make changes to this bug.