A denial of service flaw was found in the way default server configuration of OpenSSH, a open source implementation of SSH protocol versions 1 and 2, performed management of its connection slot. A remote attacker could use this flaw to cause connection slot exhaustion on the server. References: [1] http://seclists.org/oss-sec/2012/q1/1 [2] http://www.openwall.com/lists/oss-security/2013/02/06/5 [3] http://www.openwall.com/lists/oss-security/2013/02/07/3 Relevant upstream patches: [4] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234 [5] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156 [6] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
Public reproducer to demonstrate this issue was posted to the oss-security list: http://www.openwall.com/lists/oss-security/2013/02/06/5 http://thread.gmane.org/gmane.comp.security.oss.general/9320
This issue affects the versions of the openssh package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the openssh package, as shipped with Fedora release of 16, 17, and 18. Please schedule an update.
Created openssh tracking bugs for this issue Affects: fedora-all [bug 908710]
openssh-6.1p1-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
openssh-5.9p1-29.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This flaw was addressed upstream by enabling 'random early drop' by default, via the sshd_config file. The default value of 'MaxStartups' is now changed from 10 to 10:30:100 sshd_config man page describes this as follows: 'Alternatively, random early drop can be enabled by specifying the three colon separated values “start:rate:full” (e.g."10:30:60"). sshd(8) will refuse connection attempts with a probability of “rate/100” (30%) if there are currently “start” (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches “full” (60).' This flaw can be mitigated in the versions of OpenSSH shipped with Red Hat Enterprise Linux 5 and 6, by setting the value of 'MaxStartups' as described above. (Values should be changed as per requirement)
Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
New default for MaxStartups is used in upstream OpenSSH starting with version 6.2.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1591 https://rhn.redhat.com/errata/RHSA-2013-1591.html
This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2013:1527 https://rhn.redhat.com/errata/RHSA-2013-1527.html