Bug 208727 - CVE-2006-4924 openssh DoS (also CVE-2006-5051) (also for RHL7.3: CVE-2006-0225, CVE-2003-0386)
Summary: CVE-2006-4924 openssh DoS (also CVE-2006-5051) (also for RHL7.3: CVE-2006-02...
Status: CLOSED WONTFIX
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: openssh
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL:
Whiteboard: impact=important, LEGACY, rh73, rh90,...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-09-30 22:50 UTC by Steven Roberts
Modified: 2007-08-30 20:00 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2007-08-30 20:00:58 UTC

Attachments (Terms of Use)
openssh vendor patch (7.08 KB, patch)
2006-10-23 22:57 UTC, ali 		no flags Details | Diff
openssh.spec patch (601 bytes, patch)
2006-10-23 22:59 UTC, ali 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Description Steven Roberts 2006-09-30 22:50:58 UTC 
creating as a clone of bug 207955 (and also bug 207957 which is for fc5) --
create clone doens't seemt o be workign for me for some reason, so copy/pasted
int he description from those bugs.

Tavis Ormandy of the Google Security Team discovered a denial of service attack
on the openssh sshd daemon when ssh protocol version 1 is enabled.  This flaw
will cause the openssh server to consume a large quantity of the CPU until the
specified timeout is reached.

The upstream patches can be found here:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.c.diff?r1=1.29&r2=1.30&sortby=date&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.143&r2=1.144&sortby=date&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.h.diff?r1=1.9&r2=1.10&sortby=date&f=h
Comment 1 David Eisenstein 2006-10-06 06:17:57 UTC 
Thanks a bunch, Steven, for entering this bug.  Your entry indicates this af-
fects RedHat Linux 7.3.  Do you know offhand if this affects all the other
RHL and FC releases?  Thanks!
Comment 2 David Eisenstein 2006-10-06 06:41:41 UTC 
Ah.  Looks indeed like this vulnerability does affect all RHL & FC releases!
Michal Jaegermann posted this to the fedora-legacy-list:
(<http://www.redhat.com/archives/fedora-legacy-list/2006-October/msg00010.html>)

"FC4 source rpm of openssh-4.2p1 with added recent security fixes is
available at ftp://ftp.harddata.com/pub/Legacy_srpms/.
At least patches for cve-2006-4924 and cve-2006-5051 do not
really differ from what you can find in recent RHEL updates
so these can likely be applied (close to?) "as is" in earlier
distros as well."

Thanks, Michal!  -David
Comment 3 David Eisenstein 2006-10-06 06:57:03 UTC 
Red Hat issued two RHSA's on this issue:

* RHSA-2006-0697  <https://rhn.redhat.com/errata/RHSA-2006-0697.html> for
  RHEL 3 and 4 for the CVE's CVE-2006-4924 CVE-2006-5051 (RHEL 3 is sorta
  comparable to RHL 9, and RHEL 4 is sorta comparable to FC3);

* RHSA-2006-0698  <https://rhn.redhat.com/errata/RHSA-2006-0698.html> for
  RHEL 2.1, for the CVE's CVE-2006-4924 CVE-2006-0225 CVE-2003-0386
  CVE-2006-5051 (RHEL 2.1 is sorta comparable to RHL 7.3).

Here is the text from the RHSA-2006-0698 with the 4 CVE issues:

    "Updated openssh packages that fix several security issues in sshd
    are now available for Red Hat Enterprise Linux 2.1.

    "This update has been rated as having important security impact by
    the Red Hat Security Response Team. ...

    "Mark Dowd discovered a signal handler race condition in the OpenSSH
    sshd server. A remote attacker could possibly leverage this flaw to
    cause a denial of service (crash). (CVE-2006-5051) The OpenSSH project
    believes the likelihood of successful exploitation leading to arbi-
    trary code execution appears remote. However, the Red Hat Security
    Response Team have not yet been able to verify this claim due to lack
    of upstream vulnerability information. We are therefore including a
    fix for this flaw and have rated it important security severity in the
    event our continued investigation finds this issue to be exploitable.

    "Tavis Ormandy of the Google Security Team discovered a denial of
    service bug in the OpenSSH sshd server. A remote attacker can send
    a specially crafted SSH-1 request to the server causing sshd to con-
    sume a large quantity of CPU resources. (CVE-2006-4924)

    "An arbitrary command execution flaw was discovered in the way scp
    copies files locally. It is possible for a local attacker to create a
    file with a carefully crafted name that could execute arbitrary com-
    mands as the user running scp to copy files locally. (CVE-2006-0225)

    "The SSH daemon, when restricting host access by numeric IP addresses
    and with VerifyReverseMapping disabled, allows remote attackers to
    bypass "from=" and "user@host" address restrictions by connecting to a
    host from a system whose reverse DNS hostname contains the numeric IP
    address.  (CVE-2003-0386)

    "All users of openssh should upgrade to these updated packages, which
    contain backported patches that resolve these issues."
Comment 4 ali 2006-10-23 22:57:25 UTC 
Created attachment 139178 [details]
openssh vendor patch

patch addressing CVE-2006-4924 and CVE-2006-5051 from openbsd (openssh vendor).
Comment 5 ali 2006-10-23 22:59:23 UTC 
Created attachment 139179 [details]
openssh.spec patch

patch for openssh.spec.  bumps release to fc4.11 and adds vendor supplied
patch.
Comment 6 ali 2006-10-23 23:04:00 UTC 
I'm not to bugzilla savvy as is obvious.   The above mentioned patches apply
fine to openssh-4.2p1-fc4.10.
Comment 7 Donald Maner 2006-11-03 20:45:12 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have created the following SRPMs for openssh:

rh7.3:
4e3edd7b1fb6ba3074a832bdae4ee7b53dd10f73
http://lance.maner.org/openssh-3.1p1-14.4.legacy.src.rpm

* Tue Oct 31 2006 Donald Maner <donjr@pobox.com> 3.1p1-14.4.legacy

- - Patches for CVE-2006-4924, CVE-2003-0386, and CVE-2006-5051

rh9:
65a730513d88cc6b59c11bec75595864ea5a0ad0
http://lance.maner.org/openssh-3.5p1-11.5.legacy.src.rpm

* Tue Oct 31 2006 Donald Maner <donjr@pobox.com> 3.5p1-11.5.legacy

- - Patches for CVE-2006-4924 and CVE-2006-5051

fc3:
5b945720b2e1aa38dc77c357b1e243d438353c28
http://lance.maner.org/openssh-3.9p1-8.0.5.legacy.src.rpm

* Tue Oct 31 2006 Donald Maner <donjr@pobox.com> 3.9p1-8.0.5.legacy

- - Patches for CVE-2006-5051 and CVE-2006-4924

fc4:
1c3272b26892d1a96639ae83135065c4bbe59f6e
http://lance.maner.org/openssh-4.2p1-fc4.10.1.legacy.src.rpm

* Fri Nov 03 2006 Donald Maner <donjr@pobox.com> - 4.3p2-4.10.1.legacy

- - CVE-2006-4924 - prevent DoS on deattack detector (#208727)
- - CVE-2006-5051 - don't call cleanups from signal handler (#208727)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFFS6oppxMPKJzn2lIRAuFzAJ4wpxhkI3spdUbzv8uICiE2XlS6EgCfUROQ
EP00jL2AQ/Q7FlE2GXK0sbU=
=g2Yh
-----END PGP SIGNATURE-----
Comment 8 David Eisenstein 2006-11-07 06:11:18 UTC 
Thanks a bunch, Donald!   :-)
Comment 9 Jeff Sheltren 2006-11-15 16:29:08 UTC 
Since these haven't been QA'd yet, can we re-spin with a patch for
CVE-2006-5794?  RH just released updates for this.

https://rhn.redhat.com/errata/RHSA-2006-0738.html

An authentication flaw was found in OpenSSH's privilege separation monitor.
If it ever becomes possible to alter the behavior of the unprivileged
process when OpenSSH is using privilege separation, an attacker may then be
able to login without possessing proper credentials. (CVE-2006-5794).

Seems to effect both FC3 and FC4.  Since this is a new issue, we don't need to
patch it in RH7.3 and RH9...
Comment 10 Jesse Keating 2007-08-30 20:00:58 UTC 
Fedora Legacy project has ended.  These will not be fixed by Fedora Legacy.
Note You need to log in before you can comment on or make changes to this bug.