Bugzilla – Bug 921070
VUL-0: CVE-2015-1782: libssh2_org: Using SSH_MSG_KEXINIT data unbounded
Last modified: 2019-05-22 01:02:42 UTC
via distros From: Daniel Stenberg <daniel@haxx.se> Hi good folks, Here's a libssh2 flaw we're about to fix and announce on Wednesday. Would appreciate a CVE. Thanks! Using SSH_MSG_KEXINIT data unbounded ==================================== Project libssh2 Security Advisory, March 11th 2015 - [Permalink](http://www.libssh2.org/sec/adv_20150311.html) VULNERABILITY ------------- When negotiating a new SSH session with a remote server, one of libssh2's functions for doing the key exchange (kex_agree_methods) was naively reading data from the incoming packet and using it without doing sufficient range checks. The SSH_MSG_KEXINIT packet arrives to libssh2 with a set of strings, sent as a series of LENGTH + DATA pairs. libssh2 would go through the list and read the LENGTH field, read the string following the LENGTH and then advance the pointer LENGTH bytes in memory and expect to find the next LENGTH + DATA pair there. Then move on until seven subsequent strings are taken care of. It would naively assume that the (unsigned 32 bit) LENGTH fields were fine. This packet arrives in the negotiating phase so the remote server has not yet been deemed to be a known or trusted party. A malicious attacker could man in the middle a real server and cause libssh2 using clients to crash (denial of service) or otherwise read and use completely unintended memory areas in this process. There are no known exploits of this flaw at this time. INFO ---- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-XXXX to this issue. AFFECTED VERSIONS ----------------- - Affected versions: all versions to and including 1.4.3 - Not affected versions: libssh2 >= 1.5.0 libssh2 is used by many applications, but not always advertised as such! THE SOLUTION ------------ libssh2 1.5.0 makes sure that the LENGTH fields read from the packet fit within the received packet size before attempting to read them, or it fails graciously. A patch for this problem is available at: http://www.libssh2.org/CVE-2015-XXXX.patch [The patch URL will change in the final advisory] RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade to libssh2 1.5.0 B - Apply the patch and rebuild libssh2 TIME LINE --------- It was first reported to the libssh2 project on January 25 2015. libssh2 1.5.0 was released on March 11th 2015, coordinated with the publication of this advisory. CREDITS ------- Reported by Mariusz Ziulek. Patch written by Mariusz Ziulek and Daniel Stenberg, Thanks a lot! -- / daniel.haxx.se
CRD: 2015-03-11
buffer overread by malicious server
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-03-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60982
is public http://www.libssh2.org/adv_20150311.html Using SSH_MSG_KEXINIT data unbounded Project libssh2 Security Advisory, March 11th 2015 - Permalink VULNERABILITY When negotiating a new SSH session with a remote server, one of libssh2's functions for doing the key exchange (kex_agree_methods()) was naively reading data from the incoming packet and using it without doing sufficient range checks. The SSH_MSG_KEXINIT packet arrives to libssh2 with a set of strings, sent as a series of LENGTH + DATA pairs. libssh2 would go through the list and read the LENGTH field, read the string following the LENGTH and then advance the pointer LENGTH bytes in memory and expect to find the next LENGTH + DATA pair there. Then move on until seven subsequent strings are taken care of. It would naively assume that the (unsigned 32 bit) LENGTH fields were valid. This packet arrives in the negotiating phase so the remote server has not yet been deemed to be a known or trusted party. A malicious attacker could man in the middle a real server and cause libssh2 using clients to crash (denial of service) or otherwise read and use completely unintended memory areas in this process. There are no known exploits of this flaw at this time. INFO The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-1782 to this issue. AFFECTED VERSIONS Affected versions: all versions to and including 1.4.3 Not affected versions: libssh2 >= 1.5.0 libssh2 is used by many applications, but not always advertised as such! THE SOLUTION libssh2 1.5.0 makes sure that the LENGTH fields read from the packet fit within the received packet size before attempting to read them, or it fails graciously. A patch for this problem is available at: http://www.libssh2.org/CVE-2015-1782.patch RECOMMENDATIONS We suggest you take one of the following actions immediately, in order of preference: A - Upgrade to libssh2 1.5.0 B - Apply the patch and rebuild libssh2 TIME LINE It was first reported to the libssh2 project on January 25 2015. We contacted distros@openwall on March 6. libssh2 1.5.0 was released on March 11th 2015, coordinated with the publication of this advisory. CREDITS Reported by Mariusz Ziulek. Patch written by Mariusz Ziulek and Daniel Stenberg, Thanks a lot!
openSUSE packages submitted. Reassigning to security-team.
This is an autogenerated message for OBS integration: This bug (921070) was mentioned in https://build.opensuse.org/request/show/290304 13.2+13.1 / libssh2_org
openSUSE-SU-2015:0534-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 921070 CVE References: CVE-2015-1782 Sources used: openSUSE 13.2 (src): libssh2_org-1.5.0-9.4.1 openSUSE 13.1 (src): libssh2_org-1.5.0-7.4.1
released
SUSE-SU-2015:0669-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 921070 CVE References: CVE-2015-1782 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): libssh2_org-1.4.3-11.1 SUSE Linux Enterprise Server 12 (src): libssh2_org-1.4.3-11.1 SUSE Linux Enterprise Desktop 12 (src): libssh2_org-1.4.3-11.1
SUSE-SU-2015:0676-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 921070 CVE References: CVE-2015-1782 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): libssh2_org-1.2.9-4.2.4.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): libssh2_org-1.2.9-4.2.4.1 SUSE Linux Enterprise Server 11 SP3 (src): libssh2_org-1.2.9-4.2.4.1 SUSE Linux Enterprise Desktop 11 SP3 (src): libssh2_org-1.2.9-4.2.4.1