OpenSSH upstream has released version 6.4 which fixes a single security issue: http://openssh.org/txt/release-6.4 * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Further details are available in the mentioned upstream advisory: A memory corruption vulnerability exists in the post- authentication sshd process when an AES-GCM cipher (aes128-gcm or aes256-gcm) is selected during kex exchange. If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations. ... When using AES-GCM, sshd was not initialising a Message Authentication Code (MAC) context that is unused when the cipher mode offers authentication itself. This context contains some callback pointers, including a cleanup callback that was still being invoked during a rekeying operation. As such, the address being called was derived from previous heap contents. This vulnerability is mitigated by the difficulty of pre-loading the heap with a useful callback address and by any platform address-space layout randomisation applied to sshd and the shared libraries it depends upon. This issue affects version 6.2 and 6.3. OpenSSH 6.2 is the first version that introduced affected AES-GCM ciphers: http://openssh.org/txt/release-6.2 * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in SSH protocol 2. The new cipher is available as aes128-gcm and aes256-gcm. It uses an identical packet format to the AES-GCM mode specified in RFC 5647, but uses simpler and different selection rules during key exchange. Upstream patch is part of the advisory, and can be found in upstream CVS repository: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor_wrap.c#rev1.77 External References: http://www.openssh.com/txt/gcmrekey.adv
Fedora openssh packages based on vulnerable upstream versions 6.2 and 6.3 are not affected, as they already contain the same change as part of the openssh-*-audit.patch: http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.3p1-audit.patch?id=84822b5#n1483 The fix was introduced as part of this commit: http://pkgs.fedoraproject.org/cgit/openssh.git/commit/?h=f19&id=014fe81
Prior openssh-6.2p1, one of the implemented MACs algorithms was always used together with an used cipher so newkeys->mac was always initialized using choose_mac(). Since openssh-6.2p1, a new AES-GCM encryptions are implemented and given that GCM mode provides data integrity itself, no MAC is used: - choose_mac (&newkeys->mac, cprop[nmac], sprop[nmac]); + authlen = cipher_authlen(newkeys->enc.cipher); + if (authlen == 0) + choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]); A new functionality in openssh-6.2p1-audit.patch added used MAC to audit messages and as a side effect fixed also this issue.
(In reply to Petr Lautrbach from comment #3) > - choose_mac (&newkeys->mac, cprop[nmac], sprop[nmac]); > + authlen = cipher_authlen(newkeys->enc.cipher); > + if (authlen == 0) > + choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]); The above is part of this upstream commit: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c#rev1.88
Statement: Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for AES-GCM cipher suites.
*** Bug 1029004 has been marked as a duplicate of this bug. ***
HackerOne report: https://hackerone.com/reports/500