Bug 1767966 (CVE-2019-16905) - CVE-2019-16905 openssh: an integer overflow in the private key parsing code for the XMSS key type
Summary: CVE-2019-16905 openssh: an integer overflow in the private key parsing code f...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-16905
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1767967 1767968
Blocks: 1767969
TreeView+ depends on / blocked
 
Reported: 2019-11-01 18:26 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 21:07 UTC (History)
9 users (show)

Fixed In Version: openssh 8.1, openssh 8.1p1
Doc Type: If docs needed, set a value
Doc Text:
A Denial of service flaw was found in the way OpenSSH parsed certain specially crafted XMSS (eXtended Merkle Signature Scheme) private keys. Any OpenSSH functionality which parses private keys is vulnerable, for example: 1. If ‘sshd’ daemon is configured to use an XMSS host key that is malformed, it will crash upon any attempt to connect to this server. 2. If 'authorized_keys' is configured to use an XMSS public key, and the private key is used to connect to the server, the ssh client used for the connection will crash. 3. Adding a crafted XMSS key to ssh-agent, will cause the ssh-agent to crash. 4. Hosting services which allow users to upload keys may be affected. Malicious keys will cause the flaw to be triggered when the key is parsed. (Note: upload alone is not enough, the key needs to be parsed to cause the crash)
Clone Of:
Environment:
Last Closed: 2019-11-04 09:47:13 UTC
Embargoed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-11-01 18:26:20 UTC
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.

References:
https://ssd-disclosure.com/archives/4033/ssd-advisory-openssh-pre-auth-xmss-integer-overflow
https://www.openssh.com/releasenotes.html

Comment 1 Guilherme de Almeida Suckevicz 2019-11-01 18:26:38 UTC
Created openssh tracking bugs for this issue:

Affects: fedora-29 [bug 1767967]
Affects: fedora-30 [bug 1767968]

Comment 3 Huzaifa S. Sidhpurwala 2019-11-04 06:16:46 UTC
Mitigation:

This flaw is triggered when parsing XMSS private keys. XMSS is a PQC (Post-quantum cryptography) algorithm and its use is currently experimental. Other key types or any other OpenSSH functionality are not affected by this flaw. A possible mitigation for this flaw is to NOT use XMSS keys for SSH.

Comment 4 Huzaifa S. Sidhpurwala 2019-11-04 06:26:38 UTC
Upstream patch: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c.diff?r1=1.5&r2=1.6

Comment 5 Jakub Jelen 2019-11-04 08:23:34 UTC
The OpenSSH in Fedora and RHEL is built without the XMSS support so I will close these as a not a bug.

Comment 6 Huzaifa S. Sidhpurwala 2019-11-04 09:00:51 UTC
Statement:

The versions of OpenSSH package shipped with Red Hat products, do not enable support for XMSS and therefore are not affected by this flaw.


Note You need to log in before you can comment on or make changes to this bug.