Bug 9069

Summary: openssh new security issue CVE-2010-5107
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/537753/
Whiteboard: MGA2-64-OK, MGA2-32-OK
Source RPM: openssh-5.9p1-5.mga2.src.rpm CVE:
Status comment:

Description David Walser 2013-02-13 21:41:12 CET 
Fedora has issued an advisory on February 9:
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098692.html

Patched packages uploaded for Mageia 2 and Cauldron.

Patch checked into Mageia 1 SVN.

Advisory:
========================

Updated openssh packages fix security vulnerability:

A denial of service flaw was found in the way default server configuration of
OpenSSH, a open source implementation of SSH protocol versions 1 and 2,
performed management of its connection slot. A remote attacker could use this
flaw to cause connection slot exhaustion on the server (CVE-2010-5107).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5107
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098692.html
========================

Updated packages in core/updates_testing:
========================
openssh-5.9p1-5.1.mga2
openssh-clients-5.9p1-5.1.mga2
openssh-server-5.9p1-5.1.mga2
openssh-askpass-common-5.9p1-5.1.mga2
openssh-askpass-5.9p1-5.1.mga2
openssh-askpass-gnome-5.9p1-5.1.mga2

from openssh-5.9p1-5.1.mga2.src.rpm
Comment 1 Marc Lattemann 2013-02-13 22:06:08 CET 
not sure, but possible PoC? http://www.openwall.com/lists/oss-security/2013/02/06/5

CC: (none) => marc.lattemann

Comment 2 Marc Lattemann 2013-02-13 22:26:41 CET 
could not reproduce PoC:

'attacking' PC:
[marc@Rechner Programme]$ ./a.out 192.168.0.119:22 1
[+] getting needed connection count...
[+] attacking 192.168.0.119 port 22 with 10 connections
[+] opening connection 10
[*] sleeping for 1 seconds...
[+] closing connections and restarting
[+] opening connection 10
[*] sleeping for 1 seconds...
[+] closing connections and restarting
[+] opening connection 10
[*] sleeping for 1 seconds...
^C

log-file of openssh-server:
Feb 13 22:24:35 MGA2_64 sshd[5037]: Did not receive identification string from 192.168.0.129
Feb 13 22:24:35 MGA2_64 sshd[5038]: Did not receive identification string from 192.168.0.129
Feb 13 22:24:35 MGA2_64 sshd[5034]: Did not receive identification string from 192.168.0.129
[..]

not sure if (and how) I need to increase connection count?
Comment 3 David Walser 2013-02-13 23:03:39 CET 
The last argument is optional, but should be 120 generally (should match the LoginGraceTime setting in /etc/ssh/sshd_config in seconds).
Comment 4 Marc Lattemann 2013-02-13 23:24:40 CET 
OK,I will learn reading - after reading the poc again carefully:
started ddos attack an try to connect with ssh with another console at same time.

Before upgrade:

[marc@Rechner Programme]$ ssh test@192.168.0.119
ssh_exchange_identification: Connection closed by remote host

same error as described in poc.

after upgrade:
[marc@Rechner Programme]$ ssh test@192.168.0.119
Password:
Last login: Wed Feb 13 23:15:09 2013 from 192.168.0.129
[test@MGA2_64 ~]$

so tested successfully. Will now test i568

Whiteboard: (none) => MGA2-64-OK

Comment 5 Marc Lattemann 2013-02-13 23:42:42 CET 
same result for i586:

before update:
[marc@Rechner Programme]$ ssh test@192.168.0.116
ssh_exchange_identification: Connection closed by remote host

afer update:
[marc@Rechner Programme]$ ssh test@192.168.0.116
test@192.168.0.116's password:
Last login: Wed Feb 13 23:36:47 2013 from 192.168.0.129
[test@MGA2_32BIT ~]

validating.

Please see Description for Advisory and srcrpm

Can someone from sysadmin team can push the packages to Core Updates? Thanks

Keywords: (none) => validated_update
CC: marc.lattemann => sysadmin-bugs
Whiteboard: MGA2-64-OK => MGA2-64-OK, MGA2-32-OK

Comment 6 Thomas Backlund 2013-02-14 00:07:17 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0052

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED