mailing list archives
CVE id request: openssh?
From: Nico Golde <oss-security+ml () ngolde de>
Date: Wed, 6 Feb 2013 22:20:35 +0100
years ago CVE-2006-1206 was raised for a denial of service attack against
dropbear based on exhausting the maximum number of connections.
Back in 2010 I played around with this in openssh to find out if similar
attacks work against that. Since then I never really knew what to do with
this, but every now and then I remember it and after this bugged me for a
while, I finally brought up the topic to the openssh developers.
The attached program demonstrates a similar attack against a default openssh
installation. The program simply connects to an ssh server and waits for the
socket to be closed, thus determining the LoginGraceTime setting of the
server. Next, it opens up connections to the server, keeping them open until
no further connection is allowed and thus determining the MaxStartUps setting
(of course, this may not be always accurate depending on the currently active
sessions etc, but this is a minor detail).
The code continues to sleep for logingracetime seconds and spawns maxstartup
connections again. As a result, unless you are very lucky and you hit the time
window between the connection respawn, a user can not login anymore.
While this is a standard problem for any network service that limits the
number of connections, I think in openssh's case this is supported by very
historically very long LoginGraceTime default settings (2 minutes) and a lack
of random early drop usage for MaxStartups.
While you could argue that this is not per-se an openssh security issue, the
default settings aid here to a trivial denial of service attack against
ssh installations by all linux distributions I've seen.
The result for a user who tries to login is this:
ssh_exchange_identification: Connection closed by remote host
The openssh maintainers actually agree here and it resulted in the following
I personally don't mind whether this get's a CVE id or not,but considering
that dropbear got one in the past,I thought I'd bring this up.
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0xA0A0AAAA
- CVE id request: openssh? Nico Golde (Feb 06)