Bug 849536 - (CVE-2013-4548) VUL-0: CVE-2013-4548: openssh: memory corruption in post-authentication session allow code execution
(CVE-2013-4548)
VUL-0: CVE-2013-4548: openssh: memory corruption in post-authentication sessi...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Petr Cerny
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-08 09:37 UTC by Victor Pereira
Modified: 2016-08-31 04:24 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2013-11-08 09:37:34 UTC
OSS:11446


A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher(aes128-gcm@openssh.com or aes256-gcm@openssh.com) is
selected during kex exchange.

If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations.


References:
http://www.openssh.com/txt/gcmrekey.adv
http://comments.gmane.org/gmane.comp.security.oss.general/11446
Comment 1 Swamp Workflow Management 2013-11-08 09:40:00 UTC
The SWAMPID for this issue is 55036.
This issue was rated as important.
Please submit fixed packages until 2013-11-15.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 Marcus Meissner 2013-11-08 10:56:38 UTC
This has a precondition that AES-GCM is supported by openssl.

Our openssl version currently in SUSE Linux Enterprise Server 11 does not support AES-GCM, so openssh is built without this support.

So SUSE Linux Enterprise Server 11 and older are not affected by this security issue.

(in buildlog:
[   70s] checking whether OpenSSL has AES GCM via EVP... no
)

OpenSUSE 13.1 is affected by this problem. 

openSUSE 12.3 and older versions use older openssh versions without support for this cipher.
Comment 3 Bernhard Wiedemann 2013-11-08 19:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (849536) was mentioned in
https://build.opensuse.org/request/show/206335 13.1 / openssh
Comment 4 Swamp Workflow Management 2013-11-08 23:00:13 UTC
bugbot adjusting priority
Comment 5 Benjamin Brunner 2013-11-18 11:08:19 UTC
Update released for openSUSE 13.1. Resolved fixed.
Comment 6 Swamp Workflow Management 2013-11-18 12:06:09 UTC
openSUSE-SU-2013:1726-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 849536
CVE References: CVE-2013-4548
Sources used:
openSUSE 13.1 (src):    openssh-6.2p2-3.4.1, openssh-askpass-gnome-6.2p2-3.4.1
Comment 7 Bernhard Wiedemann 2013-11-23 03:00:12 UTC
This is an autogenerated message for OBS integration:
This bug (849536) was mentioned in
https://build.opensuse.org/request/show/207991 Factory / openssh