sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.
OpenSSH 7.4 is in RHEL7.4 so we should be safe here. But the release notes do not talk about this issue:
Are you sure it is denial of service by crashing the whole daemon, or is it just a per-connection process, that is crashing? Are we able to reproduce it?
Regarding the release notes: it is mentioned in the "Bugfixes" section:
* sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
sequence NEWKEYS message.
Your second question though is still open.
RHEL-6 is affected, RHEL-7 is not.
Although I did not make a reproducer, I made a simple test here (forcing crash in the vulnerable part, through patching the binary with bad opcodes) and could confirm that the DoS is just a per-connection process, not the whole daemon. Hence, WONTFIX.
Originally, this issue affected Red Hat Enterprise Linux 7 (version 7.3 and earlier). Due a rebase (RHSA-2017:2029-09), this issue was mitigated in Red Hat Enterprise Linux 7 and later versions.
This issue affects the versions of openssh as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 (versions 7.3 and earlier). For Red Hat Enterprise Linux 7 (versions 7.4 and later), this issue was fixed by the Security Advisory RHSA-2017:2029. For Red Hat Enterprise Linux 6, Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:2029 https://access.redhat.com/errata/RHSA-2017:2029
Could you please share proposed testcase and reproduction for the same.