Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 06 Feb 2013 19:23:18 -0700
From: Kurt Seifried <>
Subject: Re: CVE id request: openssh?

Hash: SHA1

On 02/06/2013 02:20 PM, Nico Golde wrote:
> Hello, years ago CVE-2006-1206 was raised for a denial of service
> attack against dropbear based on exhausting the maximum number of
> connections. Back in 2010 I played around with this in openssh to
> find out if similar attacks work against that. Since then I never
> really knew what to do with this, but every now and then I remember
> it and after this bugged me for a while, I finally brought up the
> topic to the openssh developers.
> The attached program demonstrates a similar attack against a
> default openssh installation. The program simply connects to an ssh
> server and waits for the socket to be closed, thus determining the
> LoginGraceTime setting of the server. Next, it opens up connections
> to the server, keeping them open until no further connection is
> allowed and thus determining the MaxStartUps setting (of course,
> this may not be always accurate depending on the currently active 
> sessions etc, but this is a minor detail).
> The code continues to sleep for logingracetime seconds and spawns
> maxstartup connections again. As a result, unless you are very
> lucky and you hit the time window between the connection respawn, a
> user can not login anymore.
> While this is a standard problem for any network service that
> limits the number of connections, I think in openssh's case this is
> supported by very historically very long LoginGraceTime default
> settings (2 minutes) and a lack of random early drop usage for
> MaxStartups.
> While you could argue that this is not per-se an openssh security
> issue, the default settings aid here to a trivial denial of service
> attack against ssh installations by all linux distributions I've
> seen.
> The result for a user who tries to login is this: 
> ssh_exchange_identification: Connection closed by remote host
> The openssh maintainers actually agree here and it resulted in the
> following changes: 
>  I personally don't mind whether this get's a CVE id or not,but
> considering that dropbear got one in the past,I thought I'd bring
> this up.
> Kind regards Nico

Please use CVE-2010-5107  for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Version: GnuPG v1.4.13 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.