A denial of service vulnerability was found in openssh. The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string. References: http://seclists.org/oss-sec/2016/q3/215 Upstream fix: https://github.com/openssh/openssh-portable/commit/fcd135c9df440bcd2d5870405ad3311743d78d97
Created openssh tracking bugs for this issue: Affects: fedora-all [bug 1364936]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2029 https://access.redhat.com/errata/RHSA-2017:2029
(In reply to Dhiru Kholia from comment #5) > Statement: > > This issue in OpenSSH is mitigated by the usage of SELinux in Red Hat > Enterprise Linux 6 and Red Hat Enterprise Linux 7. Can you elaborate on this? My tests dosen't seem to support that claim for RHEL6 with default policies.
What do your tests show? The CVE was based on the fact that the password hashing is done on the non-truncated password if PAM is not used. However when PAM is used (which is the default and only supported configuration in RHEL) the password is truncated when unix_chkpwd is invoked during the PAM authentication.
Explanation of Mitigation: OpenSSH in RHEL 6, 7 and 8 uses a helper binary "unix_chkpwd" (via the pam_unix module) to verify the passwords. Even when long passwords are passed to OpenSSH, they are truncated to 512 bytes when passed to the helper binary. Hence, RHEL 6 and 7 are not affected by this denial of service attack which utilizes very long passwords. Red Hat Enterprise Linux 6, 7 and 8 ship with SELinux enabled by default. However, the helper binary "unix_chkpwd" (the usage of which mitigates this flaw) is not used when SELinux is disabled. Disabling SELinux exposes the OpenSSH software to this flaw.
Statement: This issue in OpenSSH is mitigated by the usage of SELinux in Red Hat Enterprise Linux 6, 7 and 8. More details available at: https://bugzilla.redhat.com/show_bug.cgi?id=1364935#c13