Bug 1406293 (CVE-2016-10012) - CVE-2016-10012 openssh: Bounds check can be evaded in the shared memory manager used by pre-authentication compression support
Summary: CVE-2016-10012 openssh: Bounds check can be evaded in the shared memory manag...
Keywords:
Status: NEW
Alias: CVE-2016-10012
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1406296
Blocks: 1406299 1415638
TreeView+ depends on / blocked
 
Reported: 2016-12-20 08:35 UTC by Andrej Nemec
Modified: 2019-09-29 14:02 UTC (History)
9 users (show)

Fixed In Version: openssh 7.4
Doc Type: If docs needed, set a value
Doc Text:
It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process.
Clone Of:
Environment:
Last Closed: 2017-01-16 06:04:23 UTC


Attachments (Terms of Use)
removes pre-auth compression, resolves CVE-2016-10012 (12.49 KB, patch)
2017-07-30 04:53 UTC, Dmitri Dmitrienko
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2029 normal SHIPPED_LIVE Moderate: openssh security, bug fix, and enhancement update 2017-08-01 18:11:55 UTC

Description Andrej Nemec 2016-12-20 08:35:20 UTC
It was found that the shared memory manager used by pre-authentication compression support had a bounds checks that could be elided by some optimising compilers. Additionally, this memory manager was incorrectly accessible when pre-authentication compression was disabled. This could potentially allow attacks against the privileged monitor process from the sandboxed privilege-separation process (a compromise of the latter would be required first).

CVE assignment:

http://seclists.org/oss-sec/2016/q4/708

External References:

https://www.openssh.com/txt/release-7.4

Comment 2 Andrej Nemec 2016-12-20 08:41:36 UTC
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1406296]

Comment 4 Huzaifa S. Sidhpurwala 2017-01-16 06:04:23 UTC
Statement:

In order to exploit this flaw, the attacker needs to first compromise the sandboxed privilege-separation process by using another security flaw. Because of this restriction for successful exploitation, this issue has been rated as having Low security impact. A future update to Red Hat Enterprise Linux 7 will address this flaw.

Comment 5 Shabba 2017-04-21 14:05:23 UTC
Just FYI, PCI QSA's are treating this issue as grounds for certification failure, so many have begun failing companies during the quarterly or annual scans when the version of OpenSSH included in RHEL 7 and older does not have a patch for this.

Comment 6 Jakub Jelen 2017-04-21 14:19:44 UTC
(In reply to Shabba from comment #5)
> Just FYI, PCI QSA's are treating this issue as grounds for certification
> failure, so many have begun failing companies during the quarterly or annual
> scans when the version of OpenSSH included in RHEL 7 and older does not have
> a patch for this.

Thank you for your information. This bugzilla is not completely correct and we should fix it.
Please, open a ticket with customer support to get up-to-date information about this issue and when it is going to be fixed.

https://access.redhat.com/support/

Comment 9 Dmitri Dmitrienko 2017-07-30 04:53:31 UTC
Created attachment 1306453 [details]
removes pre-auth compression, resolves CVE-2016-10012

this patch 
* removes pre-auth compression
* resolves CVE-2016-10012
* compatible with openssh rpm version 6.6.1.p1-35.el7 (meaning it can be included into rpm spec)

Comment 10 errata-xmlrpc 2017-08-01 18:45:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2029 https://access.redhat.com/errata/RHSA-2017:2029


Note You need to log in before you can comment on or make changes to this bug.