Описание
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
Отчет
This flaw needs a malicious MITM SSH server. When an application compiled with libssh2 connects to such a MITM SSH server, the server can trigger an integer overflow leading to an OOB read in the SSH_MSG_DISCONNECT logic. This can cause the application compiled with libssh2 to crash. This is strictly a client side crash and the SSH server may not be affected. Also note that when a user connects to a malicious MITM server there is already a risk of disclosing password/keys irrespective of the flaw.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | libssh2 | Out of support scope | ||
| Red Hat Enterprise Linux 8 | virt:rhel/libssh2 | Not affected | ||
| Red Hat Enterprise Linux 8 Advanced Virtualization | virt:8.0/libssh2 | Will not fix | ||
| Red Hat Enterprise Linux 7 | libssh2 | Fixed | RHSA-2020:3915 | 29.09.2020 |
| Red Hat OpenShift Do | openshiftdo/odo-init-image-rhel7 | Fixed | RHSA-2021:0949 | 22.03.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic i ...
EPSS
6.5 Medium
CVSS3