Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 06 Feb 2013 19:23:18 -0700
From: Kurt Seifried <>
Subject: Re: CVE id request: openssh?

Hash: SHA1

On 02/06/2013 02:20 PM, Nico Golde wrote:
> Hello, years ago CVE-2006-1206 was raised for a denial of service
> attack against dropbear based on exhausting the maximum number of
> connections. Back in 2010 I played around with this in openssh to
> find out if similar attacks work against that. Since then I never
> really knew what to do with this, but every now and then I remember
> it and after this bugged me for a while, I finally brought up the
> topic to the openssh developers.
> The attached program demonstrates a similar attack against a
> default openssh installation. The program simply connects to an ssh
> server and waits for the socket to be closed, thus determining the
> LoginGraceTime setting of the server. Next, it opens up connections
> to the server, keeping them open until no further connection is
> allowed and thus determining the MaxStartUps setting (of course,
> this may not be always accurate depending on the currently active 
> sessions etc, but this is a minor detail).
> The code continues to sleep for logingracetime seconds and spawns
> maxstartup connections again. As a result, unless you are very
> lucky and you hit the time window between the connection respawn, a
> user can not login anymore.
> While this is a standard problem for any network service that
> limits the number of connections, I think in openssh's case this is
> supported by very historically very long LoginGraceTime default
> settings (2 minutes) and a lack of random early drop usage for
> MaxStartups.
> While you could argue that this is not per-se an openssh security
> issue, the default settings aid here to a trivial denial of service
> attack against ssh installations by all linux distributions I've
> seen.
> The result for a user who tries to login is this: 
> ssh_exchange_identification: Connection closed by remote host
> The openssh maintainers actually agree here and it resulted in the
> following changes: 
>  I personally don't mind whether this get's a CVE id or not,but
> considering that dropbear got one in the past,I thought I'd bring
> this up.
> Kind regards Nico

Please use CVE-2010-5107  for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Version: GnuPG v1.4.13 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ