Bug 1537929 (CVE-2016-10708) - CVE-2016-10708 openssh: Out of sequence NEWKEYS message can allow remote attacker to cause denial of service
Summary: CVE-2016-10708 openssh: Out of sequence NEWKEYS message can allow remote atta...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-10708
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1537930
TreeView+ depends on / blocked
 
Reported: 2018-01-24 06:26 UTC by Sam Fowler
Modified: 2021-02-17 00:55 UTC (History)
11 users (show)

Fixed In Version: openssh 7.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-06 18:13:50 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Sam Fowler 2018-01-24 06:26:23 UTC 
sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.

External References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10708
https://www.openssh.com/releasenotes.html
http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html

Upstream Patch:
https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737
Comment 1 Jakub Jelen 2018-01-24 08:01:03 UTC 
OpenSSH 7.4 is in RHEL7.4 so we should be safe here. But the release notes do not talk about this issue:

http://www.openssh.com/txt/release-7.4

Are you sure it is denial of service by crashing the whole daemon, or is it just a per-connection process, that is crashing? Are we able to reproduce it?
Comment 2 Salvatore Bonaccorso 2018-01-27 07:40:32 UTC 
Hi Jakub,

Regarding the release notes: it is mentioned in the "Bugfixes" section:

 * sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
   sequence NEWKEYS message.

Your second question though is still open.
Comment 3 Pedro Yóssis Silva Barbosa 2018-02-01 19:42:27 UTC 
RHEL-6 is affected, RHEL-7 is not.

Although I did not make a reproducer, I made a simple test here (forcing crash in the vulnerable part, through patching the binary with bad opcodes) and could confirm that the DoS is just a per-connection process, not the whole daemon. Hence, WONTFIX.
Comment 7 Pedro Yóssis Silva Barbosa 2018-02-05 13:41:53 UTC 
Note:

Originally, this issue affected Red Hat Enterprise Linux 7 (version 7.3 and earlier). Due a rebase (RHSA-2017:2029-09), this issue was mitigated in Red Hat Enterprise Linux 7 and later versions.
Comment 9 Pedro Yóssis Silva Barbosa 2018-02-06 18:05:46 UTC 
Statement:

This issue affects the versions of openssh as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 (versions 7.3 and earlier).  For Red Hat Enterprise Linux 7 (versions 7.4 and later), this issue was fixed by the Security Advisory RHSA-2017:2029. For Red Hat Enterprise Linux 6, Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 10 Pedro Yóssis Silva Barbosa 2018-02-06 18:10:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2029 https://access.redhat.com/errata/RHSA-2017:2029
Comment 11 Brahma 2019-05-15 15:15:35 UTC 
Could you please share proposed testcase and reproduction for the same.
Note You need to log in before you can comment on or make changes to this bug.