[Bug 3414] New: Out Of Memory attacks over SSH connections

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Mar 24 19:37:46 AEDT 2022


https://bugzilla.mindrot.org/show_bug.cgi?id=3414

            Bug ID: 3414
           Summary: Out Of Memory attacks over SSH connections
           Product: Portable OpenSSH
           Version: 8.9p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: security
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: kircherlike at outlook.com

If a common user wants to kill a privileged user's process on the
server, he is likely to choose this attack mode.

The attack principle is simple, as long as common users have more
memory resources than the server and keep creating SSH connections.

Although sshd has MaxStartups, PerSourceMaxStartups, and
PerSourceNetBlockSize limits on the number of concurrent connections
established by clients, sshd does not limit the total number of
connections established or disconnect some connections when there are a
large number of connections.

As an attacker, we simply run the following shell command:
for((i=0;i<1;));do sleep 1; ssh [ip address of server] & done

It doesn't take too long to trigger the kernel's OOM, similar to the
following.

[1033097.096765] sshd invoked oom-killer:
gfp_mask=0x6280ca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), order=0,
oom_score_adj=0

Tested with 4.19 kernels on x86 machines, About 2500 ssh connections
can use up 4GB of memory.

If the above command is used, this may not take about 1 hour..

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list