Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 490752

Summary: net-misc/openssh-6.[23]* - memory corruption vulnerability with AES-GCM
Product: Gentoo Linux Reporter: Seraphim Mellos <mellos>
Component: Current packagesAssignee: Gentoo Linux bug wranglers <bug-wranglers>
Status: RESOLVED DUPLICATE    
Severity: major    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openssh.com/txt/gcmrekey.adv
Whiteboard:
Package list:
Runtime testing required: ---

Description Seraphim Mellos 2013-11-08 15:16:28 UTC 
This document may be found at: http://www.openssh.com/txt/gcmrekey.adv

1. Vulnerability

        A memory corruption vulnerability exists in the post-
        authentication sshd process when an AES-GCM cipher
        (aes128-gcm@openssh.com or aes256-gcm@openssh.com) is
        selected during kex exchange.

        If exploited, this vulnerability might permit code execution
        with the privileges of the authenticated user and may
        therefore allow bypassing restricted shell/command
        configurations.

2. Affected configurations

        OpenSSH 6.2 and OpenSSH 6.3 when built against an OpenSSL
        that supports AES-GCM.

3. Mitigation

        Disable AES-GCM in the server configuration. The following
        sshd_config option will disable AES-GCM while leaving other
        ciphers active:

        Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc

4. Details

        When using AES-GCM, sshd was not initialising a Message
        Authentication Code (MAC) context that is unused when the
        cipher mode offers authentication itself. This context
        contains some callback pointers, including a cleanup callback
        that was still being invoked during a rekeying operation.
        As such, the address being called was derived from previous
        heap contents.

	This vulnerability is mitigated by the difficulty of
        pre-loading the heap with a useful callback address and by
        any platform address-space layout randomisation applied to
        sshd and the shared libraries it depends upon.

5. Credit

        This issue was identified by Markus Friedl (an OpenSSH
	developer) on November 7th, 2013.

6. Fix

        OpenSSH 6.4 contains a fix for this vulnerability. Users who
        prefer to continue to use OpenSSH 6.2 or 6.3 may apply this
        patch:

Index: monitor_wrap.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/monitor_wrap.c,v
retrieving revision 1.76
diff -u -p -u -r1.76 monitor_wrap.c
--- monitor_wrap.c	17 May 2013 00:13:13 -0000	1.76
+++ monitor_wrap.c	6 Nov 2013 16:31:26 -0000
@@ -469,7 +469,7 @@ mm_newkeys_from_blob(u_char *blob, int b
 	buffer_init(&b);
 	buffer_append(&b, blob, blen);
 
-	newkey = xmalloc(sizeof(*newkey));
+	newkey = xcalloc(1, sizeof(*newkey));
 	enc = &newkey->enc;
 	mac = &newkey->mac;
 	comp = &newkey->comp;

Reproducible: Always
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2013-11-08 15:19:28 UTC 

*** This bug has been marked as a duplicate of bug 490728 ***