Bug 1005480 - (CVE-2016-8858) VUL-1: CVE-2016-8858: openssh: KEXINIT: Memory exhaustion issue found in OpenSSH (DoS) (VulnDB 148976)
(CVE-2016-8858)
VUL-1: CVE-2016-8858: openssh: KEXINIT: Memory exhaustion issue found in Open...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Petr Cerny
Security Team bot
maint:running:63339:low maint:running...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-19 07:11 UTC by Mikhail Kasimov
Modified: 2019-01-31 13:25 UTC (History)
9 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-10-19 07:11:22 UTC
Reference: http://seclists.org/oss-sec/2016/q4/185

===================================================
Hi,

The OpenSSH has a memory exhaustion bug in key exchange process.
An unauthenticated peer could repeat the KEXINIT and cause allocation of up to 384MB(not 128MB that the official said).
In the default case, an attacker can build 100 such connections, which will consume 38400 MB of memory on the server.

The patch is here:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c?rev=1.127&content-type=text/x-cvsweb-markup

--
Regards,

Shi Lei / Gear Team, Qihoo 360 Inc.
GPG Key ID 37048936 / 5C4C 85C6 068C A5A0 23FA  0294 D9CE 9C25 3704 8936
===================================================
Comment 1 Swamp Workflow Management 2016-10-19 22:00:27 UTC
bugbot adjusting priority
Comment 2 Andreas Stieger 2016-10-24 09:32:43 UTC
Upstream fix is at
https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe3064a8c200de6531e89ad

I have not found a public reference on OpenSSH's evaluation, but RH has the following to say, from http://seclists.org/oss-sec/2016/q4/195 and 

> OpenSSH upstream dos not consider this as a security issue btw.
> 
> It seems the only thing the attacker could do here, is self-dos his own
> connection. Regarding consuming memory on the server, by opening several
> concurrent connections at the same time, there are various protections
> available in opensshd_config file, such as "MaxStartups", which can
> limit the maximum number of sessions per network connections.
> 
> This value is effectively set to 10:30:100 so maximum of 100 * 128 MB
> can be allocated, which is pretty much for unauthenticated user. Though
> the rate limiting starts to drop connection after 10, which is like 1GB
> and which should not hurt the server (though it is not cool).

VUL-1, more a bug than a vulnerability. Patch may be included in a future update.
Comment 5 he zhiping 2016-11-11 03:59:45 UTC
Does CVE-2016-8858 affect SLES10SP3 SLES10SP3LTSS  and SLES11SP3. If it affects, HuaWei needs ptf to fix it. Thanks.
Comment 6 Xuanke Han 2016-11-14 09:31:25 UTC
(In reply to he zhiping from comment #5)
> Does CVE-2016-8858 affect SLES10SP3 SLES10SP3LTSS  and SLES11SP3. If it
> affects, HuaWei needs ptf to fix it. Thanks.

@Markus Meisters
If SLES10 SPx do not affect, should we publish a announcement on the website below:
https://www.suse.com/security/cve/CVE-2016-8858.html

Thanks,
Xuanke Han
Comment 12 Marcus Meissner 2017-01-10 14:28:10 UTC
(VulnDB 148976)
Comment 13 Marcus Meissner 2017-01-10 14:37:47 UTC
The patch would apply in a similar way also to openssh 5.1 and 4.1.

so all openssh versions seem to have the problem.
Comment 14 Marcus Meissner 2017-01-10 14:38:39 UTC
The issue was disputed by the openssh team.

** DISPUTED ** The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests.  NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue."
Comment 16 Swamp Workflow Management 2017-01-11 10:00:19 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-01-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63339
Comment 17 Swamp Workflow Management 2017-01-11 10:25:15 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-01-18.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63340
Comment 18 Swamp Workflow Management 2017-01-23 16:12:22 UTC
SUSE-SU-2017:0264-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1006221,1016366,1016368,1016369,1016370
CVE References: CVE-2016-10009,CVE-2016-10010,CVE-2016-10011,CVE-2016-10012,CVE-2016-8858
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    openssh-7.2p2-66.1, openssh-askpass-gnome-7.2p2-66.3
SUSE Linux Enterprise Server 12-SP2 (src):    openssh-7.2p2-66.1, openssh-askpass-gnome-7.2p2-66.3
SUSE Linux Enterprise Desktop 12-SP2 (src):    openssh-7.2p2-66.1, openssh-askpass-gnome-7.2p2-66.3
Comment 19 Swamp Workflow Management 2017-01-31 18:08:45 UTC
openSUSE-SU-2017:0344-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1006221,1016366,1016368,1016369,1016370,1021626
CVE References: CVE-2016-10009,CVE-2016-10010,CVE-2016-10011,CVE-2016-10012,CVE-2016-8858
Sources used:
openSUSE Leap 42.2 (src):    openssh-7.2p2-9.1, openssh-askpass-gnome-7.2p2-9.1
Comment 21 Swamp Workflow Management 2017-02-03 08:14:38 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-02-17.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63383
Comment 22 Swamp Workflow Management 2017-03-03 20:10:35 UTC
SUSE-SU-2017:0603-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1006221,1016366,1016369
CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    openssh-6.6p1-35.1, openssh-askpass-gnome-6.6p1-35.4
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openssh-6.6p1-35.1, openssh-askpass-gnome-6.6p1-35.4
Comment 23 Swamp Workflow Management 2017-03-06 11:08:45 UTC
SUSE-SU-2017:0606-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1016366,1016369
CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858
Sources used:
SUSE OpenStack Cloud 5 (src):    openssh-6.2p2-0.40.1, openssh-askpass-gnome-6.2p2-0.40.3
SUSE Manager Proxy 2.1 (src):    openssh-6.2p2-0.40.1, openssh-askpass-gnome-6.2p2-0.40.3
SUSE Manager 2.1 (src):    openssh-6.2p2-0.40.1, openssh-askpass-gnome-6.2p2-0.40.3
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    openssh-6.2p2-0.40.1, openssh-askpass-gnome-6.2p2-0.40.3
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    openssh-6.2p2-0.40.1, openssh-askpass-gnome-6.2p2-0.40.3
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openssh-6.2p2-0.40.1, openssh-askpass-gnome-6.2p2-0.40.3
Comment 24 Swamp Workflow Management 2017-03-06 14:07:55 UTC
SUSE-SU-2017:0607-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1006221,1016366,1016369
CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    openssh-6.6p1-54.7.1, openssh-askpass-gnome-6.6p1-54.7.1
Comment 25 Swamp Workflow Management 2017-03-09 08:08:31 UTC
SUSE-SU-2017:0607-2: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1006221,1016366,1016369
CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    openssh-6.6p1-54.7.1, openssh-askpass-gnome-6.6p1-54.7.1
SUSE Linux Enterprise Server 12-SP1 (src):    openssh-6.6p1-54.7.1, openssh-askpass-gnome-6.6p1-54.7.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    openssh-6.6p1-54.7.1, openssh-askpass-gnome-6.6p1-54.7.1
Comment 26 Swamp Workflow Management 2017-03-09 11:09:05 UTC
SUSE-SU-2017:0607-3: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1006221,1016366,1016369
CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    openssh-6.6p1-54.7.1, openssh-askpass-gnome-6.6p1-54.7.1
Comment 27 Swamp Workflow Management 2017-03-13 14:22:44 UTC
openSUSE-SU-2017:0674-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1006221,1016366,1016369
CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858
Sources used:
openSUSE Leap 42.1 (src):    openssh-6.6p1-17.1, openssh-askpass-gnome-6.6p1-17.1
Comment 28 Kevin Barrett 2017-04-25 16:26:52 UTC
Will this fix be released in the SLE11-Security-Module channel in an openssh-openssl1 form?  Latest version in that channel is openssh-openssl1-6.6p1-15.1.x86_64.rpm (from Sep 2016) and it does not have this fix.
Comment 31 Kevin Barrett 2017-05-10 21:02:57 UTC
Should I open a new issue to get this ported to the openssh-openssl1 package in the SLE11-Security-Module?  We have migrated to using this package in one of our SLES11 products.
Comment 32 Ahmad Sadeghpour 2017-05-10 21:08:21 UTC
(In reply to Kevin Barrett from comment #31)
> Should I open a new issue to get this ported to the openssh-openssl1 package
> in the SLE11-Security-Module?  We have migrated to using this package in one
> of our SLES11 products.

yes please file your own Bugzilla and request for your exact SLES version
Comment 34 Swamp Workflow Management 2017-06-23 13:11:48 UTC
SUSE-SU-2017:1661-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1006221,1016366,1016369
CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858
Sources used:
SUSE Linux Enterprise Server 11-SECURITY (src):    openssh-openssl1-6.6p1-18.1
Comment 35 Marcus Meissner 2017-06-26 06:17:39 UTC
released all finally