Contributed by jcr on from the subcafinated dept.
An OpenSSH Security Advisory (partially quoted below) was released a few hours ago. Markus Friedl (markus@) found and fixed the issue in this commit. The change has also been back-ported to OpenBSD 5.4, and OpenBSD 5.3 has been upgraded to OpenSSH 6.4 to fix this issue. Errata for OpenBSD 5.4 and OpenBSD 5.3 have been updated, and patches are available.
A memory corruption vulnerability exists in the post- authentication sshd process when an AES-GCM cipher (aes128-gcm@openssh.com or aes256-gcm@openssh.com) is selected during kex exchange. If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations.
Please read the entire OpenSSH Security Advisory since it contains more information and may be updated.
TL;DR... If in place patching is difficult, mitigating the issue by disabling the AES-GCM cipher on affected hosts is advisable.
To do so add:
Then run SSHD to test the configuration: sudo /usr/sbin/sshd -T
In the output notice the ciphers line matches what you configured and no other configuration warnings are present. And then finally (to avoid outages) send the HUP signal to the root sshd process (ie. the one owned by root).
sudo pkill -HUP -lxf /usr/sbin/sshdWhen successful you will see similar additions to /var/log/authlog:
Nov 8 12:02:13 fnord sshd[3995]: Received SIGHUP; restarting. Nov 8 12:02:13 fnord sshd[2255]: Server listening on 0.0.0.0 port 22. Nov 8 12:02:13 fnord sshd[2255]: Server listening on :: port 22.
(Comments are closed)