sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10708 https://www.openssh.com/releasenotes.html http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html Upstream Patch: https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737
OpenSSH 7.4 is in RHEL7.4 so we should be safe here. But the release notes do not talk about this issue: http://www.openssh.com/txt/release-7.4 Are you sure it is denial of service by crashing the whole daemon, or is it just a per-connection process, that is crashing? Are we able to reproduce it?
Hi Jakub, Regarding the release notes: it is mentioned in the "Bugfixes" section: * sshd(8): fix NULL-deref crash if sshd(8) received an out-of- sequence NEWKEYS message. Your second question though is still open.
RHEL-6 is affected, RHEL-7 is not. Although I did not make a reproducer, I made a simple test here (forcing crash in the vulnerable part, through patching the binary with bad opcodes) and could confirm that the DoS is just a per-connection process, not the whole daemon. Hence, WONTFIX.
Note: Originally, this issue affected Red Hat Enterprise Linux 7 (version 7.3 and earlier). Due a rebase (RHSA-2017:2029-09), this issue was mitigated in Red Hat Enterprise Linux 7 and later versions.
Statement: This issue affects the versions of openssh as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 (versions 7.3 and earlier). For Red Hat Enterprise Linux 7 (versions 7.4 and later), this issue was fixed by the Security Advisory RHSA-2017:2029. For Red Hat Enterprise Linux 6, Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2029 https://access.redhat.com/errata/RHSA-2017:2029
Could you please share proposed testcase and reproduction for the same.