Bug 1183137 - (CVE-2021-28041) VUL-0: CVE-2021-28041: openssh-openssl1,openssh: double free in ssh-agent
(CVE-2021-28041)
VUL-0: CVE-2021-28041: openssh-openssl1,openssh: double free in ssh-agent
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/279339/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-03-07 10:35 UTC by Marcus Meissner
Modified: 2022-03-03 11:09 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2021-03-07 10:35:18 UTC
CVE-2021-28041

ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few
less-common scenarios, such as unconstrained agent-socket access on a legacy
operating system, or the forwarding of an agent to an attacker-controlled host.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28041
https://www.openwall.com/lists/oss-security/2021/03/03/1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28041
https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db
https://www.openssh.com/txt/release-8.5
https://www.openssh.com/security.html
Comment 1 Marcus Meissner 2021-04-29 10:46:04 UTC
according to external eval, only openssh 8.2 and newer are affected.
Comment 2 Marcus Meissner 2021-10-04 14:40:28 UTC
SUSE:SLE-15-SP3:Update/openssh

is 8.4, so would be affected
Comment 3 Ali Abdallah 2021-10-26 09:33:38 UTC
@Marcus, on [1] page for this cve (CVE-2021-28041), the wrong bug is linked.

SUSE Bugzilla entries: 1183135 [RESOLVED / DUPLICATE], 1183137 [NEW] 

bug 1183135 is about grub2 heap out-of-bound write, actually the whiteboard entry of that bug contains CVE-2021-28041 instead of the correct grub2 CVE-2021-3408.

In addition, the minimal (single line) fix for ssh-agent CVE-2021-28041 released on most Linux distros is [2].

[1] https://www.suse.com/security/cve/CVE-2021-28041.html
[2] https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/015_sshagent.patch.sig
Comment 4 Marcus Meissner 2021-10-26 09:46:44 UTC
I removed the 1183135 association from our db, should be reflect in 2 hours rebuild of the cve pages.
Comment 6 Swamp Workflow Management 2021-12-22 14:26:39 UTC
openSUSE-SU-2021:4153-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1183137
CVE References: CVE-2021-28041
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    openssh-8.4p1-3.9.1, openssh-askpass-gnome-8.4p1-3.9.1
Comment 7 Swamp Workflow Management 2021-12-22 14:31:38 UTC
SUSE-SU-2021:4153-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1183137
CVE References: CVE-2021-28041
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    openssh-8.4p1-3.9.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    openssh-8.4p1-3.9.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    openssh-askpass-gnome-8.4p1-3.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    openssh-8.4p1-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Hans Petter Jansson 2022-03-03 00:31:04 UTC
Verified this is both in SP3 and SP4. Can be closed if maint/security agree.
Comment 9 Gianluca Gabrielli 2022-03-03 11:09:47 UTC
SLE-15-SP4 takes it from SUSE:SLE-15-SP3:Update, so everything is done here. Thanks