OpenSSL ASN.1 vulnerability: sshd not affected

Damien Miller djm at mindrot.org
Fri Apr 20 10:08:22 EST 2012


On Thu, 19 Apr 2012, Aris Adamantiadis wrote:

> Le 19/04/12 14:19, Damien Miller a ?crit :
> > Fortunately OpenSSH's sshd is not vulnerable - it has avoided the use
> > of ASN.1 parsing since 2002 when Markus wrote a custom RSA verification
> > function (openssh_RSA_verify):
> 
> Hi Damien,
> 
> In order to check the impact that this bug has on other software using
> libcrypto, your email caught my eye.
> I have a hard day figuring out if RSA_verify from libcrypto is
> vulnerable. From what I could read, this bug is only exploitable when
> the ASN.1 parsing is done on BIO objects, and RSA_verify parses from
> memory, thus avoiding the bug. (I could see it calls d2i_X509_SIG()
> which is not bio nor fp).
> OpenSSL also claims [1] that this bug is not exploitable on SSL/TLS
> clients/servers, so my opinion is that OpenSSH (and other software
> using RSA_verify) are not vulnerable.
> 
> But of course this doesn't alter anything in the good security
> practices in use for OpenSSH, that will protect from the next ASN.1 bug :)

Yes, I think you're right - the bug is only hit when calling d2i_*_(bio|fp)
functions. I believed these were done implicitly when parsing DER-encoded
structures and PEM-encoded keys, but a few people have told me that this
is not the case. My gloating was therefore misplaced.

Tavis' findings did include and depend on another problem in OpenSSL's
memory buffer code. This bug seems like it could enable exploitability
of other bugs that have not yet been found or made public, so IMO it
would be a good idea to patch anyway.

-d


More information about the openssh-unix-dev mailing list