Vigil@nce - FreeBSD OpenSSH: denial of service via a deadlock
November 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can make multiple SSH connection to the OpenSSH server
of FreeBSD, in order to trigger deadlocks and so a denial of
service.
Impacted products: FreeBSD
Severity: 1/4
Creation date: 05/11/2014
DESCRIPTION OF THE VULNERABILITY
FreeBSD includes the OpenSSH server.
This one may be used with Kerberos for user authentication. The
Kerberos library is multithreads. However, the OpenSSH server is
built without thread support. So it may happen at library dynamic
linking time (libc, Kerberos, POSIX threads), that multithreads
versions of some functions are used instead of monothread version
and similarly in the other way. As a consequence, some locks may
not be released or some shared data may be used without locking.
In the first case, processes which serve one client connection may
never terminate, which leads to system resources loss.
An attacker can therefore make multiple SSH connection to the
OpenSSH server of FreeBSD, in order to trigger deadlocks and so a
denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/FreeBSD-OpenSSH-denial-of-service-via-a-deadlock-15587