Bugzilla – Bug 426510
VUL-0: CVE-2008-4109: openssh: Signal handler bug in OpenSSH
Last modified: 2024-04-19 07:29:33 UTC
Your friendly security team received the following report via vendor-sec. Please respond ASAP. This issue is not widely public yet, please keep any information about it inside SUSE. Date: Mon, 15 Sep 2008 18:44:12 +0200 From: Florian Weimer <fw@deneb.enyo.de> To: vendor-sec@lst.de Subject: [vendor-sec] Signal handler bug in OpenSSH CC: openssh@openssh.com It seems that the recent SSH scanning activity has some chance to trigger this bug: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498678> As a result, OpenSSH runs into the MaxStartups limit, and no further logins are possible. Debian will release a security update for this because it impacts our own infrastructure. However, the issue can also be triggered by repeated login attempts under high system load (we saw it on a private network without SSH scanning activity, too). I've also received a report about a FreeBSD machine affected in a similar way, so this is not Linux/GNU libc specific. If there is demand, we will delay publication of an update. However, the issue was discovered by looking at the source code after this has been triggered on production servers, so it's technically already being exploited. A patch which is an improvement over commenting out the do_log call would be appreciated. (I can try to cook up something and have it reviewed, if that helps.) However, I understand that it is somewhat debatable if this is a security vulnerability. _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
CVE-2008-4109
We have never addressed this issue before. It means that we do not have a broken patch included, but we had not fixed the original issue in our older releases (sles9, sles10) yet - in fact it looks we have never backported any fix for security issues addressed in 4.4p1: * Fix a pre-authentication denial of service found by Tavis Ormandy, that would cause sshd(8) to spin until the login grace time expired. * Fix an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. On portable OpenSSH, this vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. * On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. Should I try to find these fixes and backport them all for sles9 and sles10?
Your predecessor already did, see bug 208662. If not then yes, please add the missing fixes.
setting default priority for all VUL-0 bugs
Umm, you are right, sorry. I have not checked all the patches and there was no mention in the changelog about this fix. So I thought that the code comes from the source tarball. So our newer distros are fixed, sles9/10 contain buggy patch. Although the buggy patch was included in upstream ssh for a while, no real version that contains it was released. We "backported" the fix from 4.4p1 but while 4.4p1 was OK, we took the original wrong patch - so actually I still do not understand what really happened that we released it like this. But nevermind. I am going to prepare fixes for sles9/10 and hopefully I will get it right this time.
ok, thanks :)
Done. In fact I could just remove everything inside sigdie() function and result would be the same for us... but I have tried to just backport the code from the upstream.
(patchinfos missing still according to Rudi)
reusing MaintenanceTracker-19706
updates released
CVE-2008-4109: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)