Bug 908707 (CVE-2010-5107) - CVE-2010-5107 openssh: Prevent connection slot exhaustion attacks
Summary: CVE-2010-5107 openssh: Prevent connection slot exhaustion attacks
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-5107
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 908710 1001879
Blocks: 908713 974906
TreeView+ depends on / blocked
 
Reported: 2013-02-07 11:07 UTC by Jan Lieskovsky
Modified: 2021-02-17 08:04 UTC (History)
14 users (show)

Fixed In Version: openssh 6.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-25 09:10:34 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1527 0 normal SHIPPED_LIVE Important: rhev-hypervisor6 security and bug fix update 2013-11-21 09:47:11 UTC
Red Hat Product Errata RHSA-2013:1591 0 normal SHIPPED_LIVE Low: openssh security, bug fix, and enhancement update 2013-11-20 21:39:30 UTC

Description Jan Lieskovsky 2013-02-07 11:07:46 UTC
A denial of service flaw was found in the way default server configuration of OpenSSH, a open source implementation of SSH protocol versions 1 and 2, performed management of its connection slot. A remote attacker could use this flaw to cause connection slot exhaustion on the server.

References:
[1] http://seclists.org/oss-sec/2012/q1/1
[2] http://www.openwall.com/lists/oss-security/2013/02/06/5
[3] http://www.openwall.com/lists/oss-security/2013/02/07/3

Relevant upstream patches:
[4] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
[5] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
[6] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89

Comment 1 Jan Lieskovsky 2013-02-07 11:09:44 UTC
Public reproducer to demonstrate this issue was posted to the oss-security list:

http://www.openwall.com/lists/oss-security/2013/02/06/5
http://thread.gmane.org/gmane.comp.security.oss.general/9320

Comment 2 Jan Lieskovsky 2013-02-07 11:10:43 UTC
This issue affects the versions of the openssh package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the openssh package, as shipped with Fedora release of 16, 17, and 18. Please schedule an update.

Comment 3 Jan Lieskovsky 2013-02-07 11:11:24 UTC
Created openssh tracking bugs for this issue

Affects: fedora-all [bug 908710]

Comment 5 Fedora Update System 2013-02-13 04:33:04 UTC
openssh-6.1p1-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2013-02-26 02:47:04 UTC
openssh-5.9p1-29.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Huzaifa S. Sidhpurwala 2013-03-20 05:25:46 UTC
This flaw was addressed upstream by enabling 'random early drop' by default, via the sshd_config file. The default value of 'MaxStartups' is now changed from 10 to 10:30:100

sshd_config man page describes this as follows:

'Alternatively, random early drop can be enabled by specifying the three colon separated values “start:rate:full” (e.g."10:30:60").  sshd(8) will refuse connection attempts with a probability of “rate/100” (30%) if there are currently “start” (10) unauthenticated connections.  The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches “full” (60).'

This flaw can be mitigated in the versions of OpenSSH shipped with Red Hat Enterprise Linux 5 and 6, by setting the value of 'MaxStartups' as described above. (Values should be changed as per requirement)

Comment 8 Huzaifa S. Sidhpurwala 2013-03-20 05:28:36 UTC
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 10 Tomas Hoger 2013-10-25 21:27:12 UTC
New default for MaxStartups is used in upstream OpenSSH starting with version 6.2.

Comment 11 errata-xmlrpc 2013-11-21 09:45:32 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1591 https://rhn.redhat.com/errata/RHSA-2013-1591.html

Comment 12 errata-xmlrpc 2013-11-22 00:36:18 UTC
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2013:1527 https://rhn.redhat.com/errata/RHSA-2013-1527.html


Note You need to log in before you can comment on or make changes to this bug.