Bug#729148: Memory corruption vulnerability when using AES-GCM
Package: openssh-server
Version: 1:6.2p2-6~bpo7
Severity: grave
Tags: patch, security, fixed-upstream
The recent security advisory from OpenSSH upstream dated 2013-11-07
mentions that "a memory corruption vulnerability exists in the
post-authentication sshd process when an AES-GCM cipher
(aes128-gcm@openssh.com or aes256-gcm@openssh.com) is selected during
kex exchange."
"If exploited, this vulnerability might permit code execution with the
privileges of the authenticated user and may therefore allow bypassing
restricted shell/command configurations."
This only applies to OpenSSH 6.2 and 6.3 built against OpenSSL
supporting AES-GCM. It has been fixed in upstream, OpenSSH 6.4.
The advisory mentions usage of the following patch:
Index: monitor_wrap.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/monitor_wrap.c,v
retrieving revision 1.76
diff -u -p -u -r1.76 monitor_wrap.c
--- monitor_wrap.c 17 May 2013 00:13:13 -0000 1.76
+++ monitor_wrap.c 6 Nov 2013 16:31:26 -0000
@@ -469,7 +469,7 @@ mm_newkeys_from_blob(u_char *blob, int b
buffer_init(&b);
buffer_append(&b, blob, blen);
- newkey = xmalloc(sizeof(*newkey));
+ newkey = xcalloc(1, sizeof(*newkey));
enc = &newkey->enc;
mac = &newkey->mac;
comp = &newkey->comp;
Alternatively, AES-GCM should be disabled in sshd_config as a workaround
to this vulnerability.
See also: <http://www.openssh.com/txt/gcmrekey.adv>
Linux edi 3.10-0.bpo.3-amd64 #1 SMP Debian 3.10.11-1~bpo70+1
(2013-09-24) x86_64 GNU/Linux
openssh-server: 1:6.2p2-6~bpo7
openssl: 1.0.1e-2
--
Patrick Godschalk
argure@argure.nl
GPG: <https://argure.nl/identity/ecc14594.asc>
This e-mail falls under the CC0 1.0 Universal Public Domain Dedication.
Reply to: