Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE id request: openssh?
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 06 Feb 2013 19:23:18 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/06/2013 02:20 PM, Nico Golde wrote:
Hello, years ago CVE-2006-1206 was raised for a denial of service
attack against dropbear based on exhausting the maximum number of
connections. Back in 2010 I played around with this in openssh to
find out if similar attacks work against that. Since then I never
really knew what to do with this, but every now and then I remember
it and after this bugged me for a while, I finally brought up the
topic to the openssh developers.

The attached program demonstrates a similar attack against a
default openssh installation. The program simply connects to an ssh
server and waits for the socket to be closed, thus determining the
LoginGraceTime setting of the server. Next, it opens up connections
to the server, keeping them open until no further connection is
allowed and thus determining the MaxStartUps setting (of course,
this may not be always accurate depending on the currently active 
sessions etc, but this is a minor detail).

The code continues to sleep for logingracetime seconds and spawns
maxstartup connections again. As a result, unless you are very
lucky and you hit the time window between the connection respawn, a
user can not login anymore.

While this is a standard problem for any network service that
limits the number of connections, I think in openssh's case this is
supported by very historically very long LoginGraceTime default
settings (2 minutes) and a lack of random early drop usage for
MaxStartups.

While you could argue that this is not per-se an openssh security
issue, the default settings aid here to a trivial denial of service
attack against ssh installations by all linux distributions I've
seen.

The result for a user who tries to login is this: 
ssh_exchange_identification: Connection closed by remote host

The openssh maintainers actually agree here and it resulted in the
following changes: 
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234


http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89

 I personally don't mind whether this get's a CVE id or not,but
considering that dropbear got one in the past,I thought I'd bring
this up.

Kind regards Nico

Please use CVE-2010-5107  for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRExAWAAoJEBYNRVNeJnmTkjIP/1OZL0I3yaXM/f7QUQbC9TcF
yVKK8s6FsXgUcIMigtvm1CwHLWU1QVDXr+Q6SgytPqo/SF6r8+xWTOOLslPgKL39
oUEAE+0kIZ5900q3bsbLeJ7vLT0YXbPeFtd4tCE8WhFLKnX8zpbYx17xPtwowO0C
cFXLYbkl8XS6ZFOynxaSxexXLJCrhtJMqSqfJBDFd/tjRU8jM0WHne85+wGIPiI6
vQWNbV59aAn3GAmKk2j+lET2D+3JHwHS/QkCRvkxiEuhka+Gx+nmdqQ5ms0hdeIi
4h65F+ppOfeQ6gkS+fnTPvkajPo7RQGwQ5GPGkaLX3i54q9aCIc5JCfXv7L3r1uA
J9Ix+4zlTdLPcTy2m2aU5m4G9yk2cv7OgwQvilZTGQF9Ro1acIYSm019WNSvr47N
9ItUQHfUsEqrY89Lnd/fS/gviCjW9cYTPaJCcPfWO38j+L7mD15UgrQXGyzwXrY0
RbYqWOGJ83aAGzFm8Xa24wo7g5spk1zlCYQoKiFPKq8yAXMb258SDkgDPrXPgY0o
+HQ7NkE4pAK2x9qvkeZ/LLHvwPYGiSjJdvivnCQMNtZPqkbHdyF4ULOu93sw6PkO
++Ih1RmeyKyTiVB60UkiCIMHNMvCGk6Zp4OJxpMmPPhq2K/usWXEGqTDrKa+LgL6
4bajkNh3HLA5ZdC+Wq0g
=tGUF
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault