Bugzilla – Bug 802639
VUL-1: CVE-2010-5107: openssh remote denial of service
Last modified: 2020-06-29 06:23:00 UTC
is public, via oss-sec CVE-2010-5107 From: Nico Golde <oss-security+ml@ngolde.de> Subject: [oss-security] CVE id request: openssh? Hello, years ago CVE-2006-1206 was raised for a denial of service attack against dropbear based on exhausting the maximum number of connections. Back in 2010 I played around with this in openssh to find out if similar attacks work against that. Since then I never really knew what to do with this, but every now and then I remember it and after this bugged me for a while, I finally brought up the topic to the openssh developers. The attached program demonstrates a similar attack against a default openssh installation. The program simply connects to an ssh server and waits for the socket to be closed, thus determining the LoginGraceTime setting of the server. Next, it opens up connections to the server, keeping them open until no further connection is allowed and thus determining the MaxStartUps setting (of course, this may not be always accurate depending on the currently active sessions etc, but this is a minor detail). The code continues to sleep for logingracetime seconds and spawns maxstartup connections again. As a result, unless you are very lucky and you hit the time window between the connection respawn, a user can not login anymore. While this is a standard problem for any network service that limits the number of connections, I think in openssh's case this is supported by very historically very long LoginGraceTime default settings (2 minutes) and a lack of random early drop usage for MaxStartups. While you could argue that this is not per-se an openssh security issue, the default settings aid here to a trivial denial of service attack against ssh installations by all linux distributions I've seen. The result for a user who tries to login is this: ssh_exchange_identification: Connection closed by remote host The openssh maintainers actually agree here and it resulted in the following changes: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234 http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156 http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89 I personally don't mind whether this get's a CVE id or not,but considering that dropbear got one in the past,I thought I'd bring this up. Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
Created attachment 523772 [details] sshext.c sshext.c attach to Nicos mail
bugbot adjusting priority
I have patches for SLE-11-SP2 and SLE-10-SP4 prepared for the next update round. SLE-11-SP3 already has it applied as well.
Update released for: openssh, openssh-askpass, openssh-debuginfo, openssh-debugsource Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
done
The SWAMPID for this issue is 54606. This issue was rated as low. Please submit fixed packages until 2013-10-28. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Update released for: openssh, openssh-askpass, openssh-debuginfo Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
*** Bug 841638 has been marked as a duplicate of this bug. ***
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2017-01-18. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63340