Red Hat Bugzilla – Bug 208727
CVE-2006-4924 openssh DoS (also CVE-2006-5051) (also for RHL7.3: CVE-2006-0225, CVE-2003-0386)
Last modified: 2007-08-30 16:00:58 EDT
creating as a clone of bug 207955 (and also bug 207957 which is for fc5) --
create clone doens't seemt o be workign for me for some reason, so copy/pasted
int he description from those bugs.
Tavis Ormandy of the Google Security Team discovered a denial of service attack
on the openssh sshd daemon when ssh protocol version 1 is enabled. This flaw
will cause the openssh server to consume a large quantity of the CPU until the
specified timeout is reached.
The upstream patches can be found here:
Thanks a bunch, Steven, for entering this bug. Your entry indicates this af-
fects RedHat Linux 7.3. Do you know offhand if this affects all the other
RHL and FC releases? Thanks!
Ah. Looks indeed like this vulnerability does affect all RHL & FC releases!
Michal Jaegermann posted this to the fedora-legacy-list:
"FC4 source rpm of openssh-4.2p1 with added recent security fixes is
available at ftp://ftp.harddata.com/pub/Legacy_srpms/.
At least patches for cve-2006-4924 and cve-2006-5051 do not
really differ from what you can find in recent RHEL updates
so these can likely be applied (close to?) "as is" in earlier
distros as well."
Thanks, Michal! -David
Red Hat issued two RHSA's on this issue:
* RHSA-2006-0697 <https://rhn.redhat.com/errata/RHSA-2006-0697.html> for
RHEL 3 and 4 for the CVE's CVE-2006-4924 CVE-2006-5051 (RHEL 3 is sorta
comparable to RHL 9, and RHEL 4 is sorta comparable to FC3);
* RHSA-2006-0698 <https://rhn.redhat.com/errata/RHSA-2006-0698.html> for
RHEL 2.1, for the CVE's CVE-2006-4924 CVE-2006-0225 CVE-2003-0386
CVE-2006-5051 (RHEL 2.1 is sorta comparable to RHL 7.3).
Here is the text from the RHSA-2006-0698 with the 4 CVE issues:
"Updated openssh packages that fix several security issues in sshd
are now available for Red Hat Enterprise Linux 2.1.
"This update has been rated as having important security impact by
the Red Hat Security Response Team. ...
"Mark Dowd discovered a signal handler race condition in the OpenSSH
sshd server. A remote attacker could possibly leverage this flaw to
cause a denial of service (crash). (CVE-2006-5051) The OpenSSH project
believes the likelihood of successful exploitation leading to arbi-
trary code execution appears remote. However, the Red Hat Security
Response Team have not yet been able to verify this claim due to lack
of upstream vulnerability information. We are therefore including a
fix for this flaw and have rated it important security severity in the
event our continued investigation finds this issue to be exploitable.
"Tavis Ormandy of the Google Security Team discovered a denial of
service bug in the OpenSSH sshd server. A remote attacker can send
a specially crafted SSH-1 request to the server causing sshd to con-
sume a large quantity of CPU resources. (CVE-2006-4924)
"An arbitrary command execution flaw was discovered in the way scp
copies files locally. It is possible for a local attacker to create a
file with a carefully crafted name that could execute arbitrary com-
mands as the user running scp to copy files locally. (CVE-2006-0225)
"The SSH daemon, when restricting host access by numeric IP addresses
and with VerifyReverseMapping disabled, allows remote attackers to
bypass "from=" and "user@host" address restrictions by connecting to a
host from a system whose reverse DNS hostname contains the numeric IP
"All users of openssh should upgrade to these updated packages, which
contain backported patches that resolve these issues."
Created attachment 139178 [details]
openssh vendor patch
patch addressing CVE-2006-4924 and CVE-2006-5051 from openbsd (openssh vendor).
Created attachment 139179 [details]
patch for openssh.spec. bumps release to fc4.11 and adds vendor supplied
I'm not to bugzilla savvy as is obvious. The above mentioned patches apply
fine to openssh-4.2p1-fc4.10.
-----BEGIN PGP SIGNED MESSAGE-----
I have created the following SRPMs for openssh:
* Tue Oct 31 2006 Donald Maner <firstname.lastname@example.org> 3.1p1-14.4.legacy
- - Patches for CVE-2006-4924, CVE-2003-0386, and CVE-2006-5051
* Tue Oct 31 2006 Donald Maner <email@example.com> 3.5p1-11.5.legacy
- - Patches for CVE-2006-4924 and CVE-2006-5051
* Tue Oct 31 2006 Donald Maner <firstname.lastname@example.org> 3.9p1-8.0.5.legacy
- - Patches for CVE-2006-5051 and CVE-2006-4924
* Fri Nov 03 2006 Donald Maner <email@example.com> - 4.3p2-4.10.1.legacy
- - CVE-2006-4924 - prevent DoS on deattack detector (#208727)
- - CVE-2006-5051 - don't call cleanups from signal handler (#208727)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
-----END PGP SIGNATURE-----
Thanks a bunch, Donald! :-)
Since these haven't been QA'd yet, can we re-spin with a patch for
CVE-2006-5794? RH just released updates for this.
An authentication flaw was found in OpenSSH's privilege separation monitor.
If it ever becomes possible to alter the behavior of the unprivileged
process when OpenSSH is using privilege separation, an attacker may then be
able to login without possessing proper credentials. (CVE-2006-5794).
Seems to effect both FC3 and FC4. Since this is a new issue, we don't need to
patch it in RH7.3 and RH9...
Fedora Legacy project has ended. These will not be fixed by Fedora Legacy.