Re: CVE id request: openssh?

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/06/2013 02:20 PM, Nico Golde wrote:
> Hello, years ago CVE-2006-1206 was raised for a denial of service
> attack against dropbear based on exhausting the maximum number of
> connections. Back in 2010 I played around with this in openssh to
> find out if similar attacks work against that. Since then I never
> really knew what to do with this, but every now and then I remember
> it and after this bugged me for a while, I finally brought up the
> topic to the openssh developers.
>
> The attached program demonstrates a similar attack against a
> default openssh installation. The program simply connects to an ssh
> server and waits for the socket to be closed, thus determining the
> LoginGraceTime setting of the server. Next, it opens up connections
> to the server, keeping them open until no further connection is
> allowed and thus determining the MaxStartUps setting (of course,
> this may not be always accurate depending on the currently active 
> sessions etc, but this is a minor detail).
>
> The code continues to sleep for logingracetime seconds and spawns
> maxstartup connections again. As a result, unless you are very
> lucky and you hit the time window between the connection respawn, a
> user can not login anymore.
>
> While this is a standard problem for any network service that
> limits the number of connections, I think in openssh's case this is
> supported by very historically very long LoginGraceTime default
> settings (2 minutes) and a lack of random early drop usage for
> MaxStartups.
>
> While you could argue that this is not per-se an openssh security
> issue, the default settings aid here to a trivial denial of service
> attack against ssh installations by all linux distributions I've
> seen.
>
> The result for a user who tries to login is this: 
> ssh_exchange_identification: Connection closed by remote host
>
> The openssh maintainers actually agree here and it resulted in the
> following changes: 
> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
>
>  I personally don't mind whether this get's a CVE id or not,but
> considering that dropbear got one in the past,I thought I'd bring
> this up.
>
> Kind regards Nico

Please use CVE-2010-5107  for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRExAWAAoJEBYNRVNeJnmTkjIP/1OZL0I3yaXM/f7QUQbC9TcF
yVKK8s6FsXgUcIMigtvm1CwHLWU1QVDXr+Q6SgytPqo/SF6r8+xWTOOLslPgKL39
oUEAE+0kIZ5900q3bsbLeJ7vLT0YXbPeFtd4tCE8WhFLKnX8zpbYx17xPtwowO0C
cFXLYbkl8XS6ZFOynxaSxexXLJCrhtJMqSqfJBDFd/tjRU8jM0WHne85+wGIPiI6
vQWNbV59aAn3GAmKk2j+lET2D+3JHwHS/QkCRvkxiEuhka+Gx+nmdqQ5ms0hdeIi
4h65F+ppOfeQ6gkS+fnTPvkajPo7RQGwQ5GPGkaLX3i54q9aCIc5JCfXv7L3r1uA
J9Ix+4zlTdLPcTy2m2aU5m4G9yk2cv7OgwQvilZTGQF9Ro1acIYSm019WNSvr47N
9ItUQHfUsEqrY89Lnd/fS/gviCjW9cYTPaJCcPfWO38j+L7mD15UgrQXGyzwXrY0
RbYqWOGJ83aAGzFm8Xa24wo7g5spk1zlCYQoKiFPKq8yAXMb258SDkgDPrXPgY0o
+HQ7NkE4pAK2x9qvkeZ/LLHvwPYGiSjJdvivnCQMNtZPqkbHdyF4ULOu93sw6PkO
++Ih1RmeyKyTiVB60UkiCIMHNMvCGk6Zp4OJxpMmPPhq2K/usWXEGqTDrKa+LgL6
4bajkNh3HLA5ZdC+Wq0g
=tGUF
-----END PGP SIGNATURE-----