Bug 9069 - openssh new security issue CVE-2010-5107
: openssh new security issue CVE-2010-5107
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/537753/
: MGA2-64-OK, MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-13 21:41 CET by David Walser
Modified: 2013-02-14 00:07 CET (History)
2 users (show)

See Also:
Source RPM: openssh-5.9p1-5.mga2.src.rpm
CVE:


Attachments

Description David Walser 2013-02-13 21:41:12 CET
Fedora has issued an advisory on February 9:
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098692.html

Patched packages uploaded for Mageia 2 and Cauldron.

Patch checked into Mageia 1 SVN.

Advisory:
========================

Updated openssh packages fix security vulnerability:

A denial of service flaw was found in the way default server configuration of
OpenSSH, a open source implementation of SSH protocol versions 1 and 2,
performed management of its connection slot. A remote attacker could use this
flaw to cause connection slot exhaustion on the server (CVE-2010-5107).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5107
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098692.html
========================

Updated packages in core/updates_testing:
========================
openssh-5.9p1-5.1.mga2
openssh-clients-5.9p1-5.1.mga2
openssh-server-5.9p1-5.1.mga2
openssh-askpass-common-5.9p1-5.1.mga2
openssh-askpass-5.9p1-5.1.mga2
openssh-askpass-gnome-5.9p1-5.1.mga2

from openssh-5.9p1-5.1.mga2.src.rpm
Comment 1 Marc Lattemann 2013-02-13 22:06:08 CET
not sure, but possible PoC? http://www.openwall.com/lists/oss-security/2013/02/06/5
Comment 2 Marc Lattemann 2013-02-13 22:26:41 CET
could not reproduce PoC:

'attacking' PC:
[marc@Rechner Programme]$ ./a.out 192.168.0.119:22 1
[+] getting needed connection count...
[+] attacking 192.168.0.119 port 22 with 10 connections
[+] opening connection 10
[*] sleeping for 1 seconds...
[+] closing connections and restarting
[+] opening connection 10
[*] sleeping for 1 seconds...
[+] closing connections and restarting
[+] opening connection 10
[*] sleeping for 1 seconds...
^C

log-file of openssh-server:
Feb 13 22:24:35 MGA2_64 sshd[5037]: Did not receive identification string from 192.168.0.129
Feb 13 22:24:35 MGA2_64 sshd[5038]: Did not receive identification string from 192.168.0.129
Feb 13 22:24:35 MGA2_64 sshd[5034]: Did not receive identification string from 192.168.0.129
[..]

not sure if (and how) I need to increase connection count?
Comment 3 David Walser 2013-02-13 23:03:39 CET
The last argument is optional, but should be 120 generally (should match the LoginGraceTime setting in /etc/ssh/sshd_config in seconds).
Comment 4 Marc Lattemann 2013-02-13 23:24:40 CET
OK,I will learn reading - after reading the poc again carefully:
started ddos attack an try to connect with ssh with another console at same time.

Before upgrade:

[marc@Rechner Programme]$ ssh test@192.168.0.119
ssh_exchange_identification: Connection closed by remote host

same error as described in poc.

after upgrade:
[marc@Rechner Programme]$ ssh test@192.168.0.119
Password:
Last login: Wed Feb 13 23:15:09 2013 from 192.168.0.129
[test@MGA2_64 ~]$

so tested successfully. Will now test i568
Comment 5 Marc Lattemann 2013-02-13 23:42:42 CET
same result for i586:

before update:
[marc@Rechner Programme]$ ssh test@192.168.0.116
ssh_exchange_identification: Connection closed by remote host

afer update:
[marc@Rechner Programme]$ ssh test@192.168.0.116
test@192.168.0.116's password:
Last login: Wed Feb 13 23:36:47 2013 from 192.168.0.129
[test@MGA2_32BIT ~]

validating.

Please see Description for Advisory and srcrpm

Can someone from sysadmin team can push the packages to Core Updates? Thanks
Comment 6 Thomas Backlund 2013-02-14 00:07:17 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0052

Note You need to log in before you can comment on or make changes to this bug.