OpenSSH J-PAKE protocol remote memory corruption

2014.01.29

Credit: Kurt

Risk: High

Local: No

Remote: Yes

CVE: CVE-2014-1692

CWE: CWE-119

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/schnorr.c

Revision 1.10: download - view: text, markup, annotated - select for diffs
Wed Jan 29 00:21:41 2014 UTC (3 hours, 14 minutes ago) by djm
Branches: MAIN
CVS tags: HEAD
Diff to: previous 1.9: preferred, coloured
Changes since revision 1.9: +4 -1 lines
In the experimental, never-enabled JPAKE code: clear returned digest and
length in hash_buffer() for error cases; could lead to memory corruption
later if EVP_Digest* fails.  Pointed out by Mark Dowd

As I understand it this can be enabled via code edit/gcc command line
options, so not sure if this qualified for a CVE or not (vuln in code,
yes, is code reachable? not under any default setup, and even on
non-default you have to go pretty far off to enable it).

References:

http://seclists.org/oss-sec/2014/q1/162

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/schnorr.c

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

OpenSSH J-PAKE protocol remote memory corruption

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.