Memory exhaustion issue in OpenSSH allows to make DoS atack

Posted on Posted in SSH

Decription: The OpenSSH has a memory exhaustion bug in key exchange process.
An unauthenticated peer could repeat the KEXINIT and cause allocation of up to 384MB(not 128MB that the official said).
In the default case, an attacker can build 100 such connections, which will consume 38400 MB of memory on the server.

Affected versions: all

Recommended action: Re-build OpenSSH applying the following patch:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c?rev=1.127&content-type=text/x-cvsweb-markup

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *