1537929 – (CVE-2016-10708) CVE-2016-10708 openssh: Out of sequence NEWKEYS message can allow remote attacker to cause denial of service

Bug 1537929 (CVE-2016-10708) - CVE-2016-10708 openssh: Out of sequence NEWKEYS message can allow remote attacker to cause denial of service

Summary: CVE-2016-10708 openssh: Out of sequence NEWKEYS message can allow remote atta...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2016-10708
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1537930
TreeView+	depends on / blocked

Reported:	2018-01-24 06:26 UTC by Sam Fowler
Modified:	2021-02-17 00:55 UTC (History)
CC List:	11 users (show)
Fixed In Version:	openssh 7.4
Clone Of:
Environment:
Last Closed:	2018-02-06 18:13:50 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sam Fowler 2018-01-24 06:26:23 UTC

sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.

External References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10708
https://www.openssh.com/releasenotes.html
http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html

Upstream Patch:
https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737

Comment 1 Jakub Jelen 2018-01-24 08:01:03 UTC

OpenSSH 7.4 is in RHEL7.4 so we should be safe here. But the release notes do not talk about this issue:

http://www.openssh.com/txt/release-7.4

Are you sure it is denial of service by crashing the whole daemon, or is it just a per-connection process, that is crashing? Are we able to reproduce it?

Comment 2 Salvatore Bonaccorso 2018-01-27 07:40:32 UTC

Hi Jakub,

Regarding the release notes: it is mentioned in the "Bugfixes" section:

 * sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
   sequence NEWKEYS message.

Your second question though is still open.

Comment 3 Pedro Yóssis Silva Barbosa 2018-02-01 19:42:27 UTC

RHEL-6 is affected, RHEL-7 is not.

Although I did not make a reproducer, I made a simple test here (forcing crash in the vulnerable part, through patching the binary with bad opcodes) and could confirm that the DoS is just a per-connection process, not the whole daemon. Hence, WONTFIX.

Comment 7 Pedro Yóssis Silva Barbosa 2018-02-05 13:41:53 UTC

Note:

Originally, this issue affected Red Hat Enterprise Linux 7 (version 7.3 and earlier). Due a rebase (RHSA-2017:2029-09), this issue was mitigated in Red Hat Enterprise Linux 7 and later versions.

Comment 9 Pedro Yóssis Silva Barbosa 2018-02-06 18:05:46 UTC

Statement:

This issue affects the versions of openssh as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 (versions 7.3 and earlier).  For Red Hat Enterprise Linux 7 (versions 7.4 and later), this issue was fixed by the Security Advisory RHSA-2017:2029. For Red Hat Enterprise Linux 6, Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 10 Pedro Yóssis Silva Barbosa 2018-02-06 18:10:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2029 https://access.redhat.com/errata/RHSA-2017:2029

Comment 11 Brahma 2019-05-15 15:15:35 UTC

Could you please share proposed testcase and reproduction for the same.

Note You need to log in before you can comment on or make changes to this bug.