openssh bugs - Apr 2022 - [Bug 3414] Out Of Memory attacks over SSH connections

https://bugzilla.mindrot.org/show_bug.cgi?id=3414

            Bug ID: 3414
           Summary: Out Of Memory attacks over SSH connections
           Product: Portable OpenSSH
           Version: 8.9p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: security
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: kircherlike at outlook.com

If a common user wants to kill a privileged user's process on the
server, he is likely to choose this attack mode.

The attack principle is simple, as long as common users have more
memory resources than the server and keep creating SSH connections.

Although sshd has MaxStartups, PerSourceMaxStartups, and
PerSourceNetBlockSize limits on the number of concurrent connections
established by clients, sshd does not limit the total number of
connections established or disconnect some connections when there are a
large number of connections.

As an attacker, we simply run the following shell command:
for((i=0;i<1;));do sleep 1; ssh [ip address of server] & done

It doesn't take too long to trigger the kernel's OOM, similar to the
following.

[1033097.096765] sshd invoked oom-killer:
gfp_mask=0x6280ca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), order=0,
oom_score_adj=0

Tested with 4.19 kernels on x86 machines, About 2500 ssh connections
can use up 4GB of memory.

If the above command is used, this may not take about 1 hour..

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3414

kircher <kircherlike at outlook.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P5                          |P1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3414

kircher <kircherlike at outlook.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3414

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
closing bug resolved during openssh-9.0 release cycle

-- 
You are receiving this mail because:
You are watching the assignee of the bug.