BSA-2019-767
21323
21 March 2019
21 March 2019
Closed
Low
N/A
N/A
CVE-2019-3855, CVE-2019-3856, CVE-2019-3857, CVE-2019-3858, CVE-2019-3859, CVE-2019-3860, CVE-2019-3861, CVE-2019-3862, CVE-2019-3863
Summary
Security Advisory ID : BSA-2019-767
Component : LIBSSH2
Revision : 1.0: Final
libssh2 is a client-side C library implementing the SSH2 protocol. It supports regular terminal, SCP and SFTP sessions; port forwarding, X11 forwarding; password, key-based and keyboard-interactive authentication. Libssh2 releases security update for nine vulenrabilities on March 18, 2019.
CVE-2019-3855: Possible integer overflow in transport read that could lead to an out-of-bounds write. A malicious server, or a remote attacker who compromises an SSH server, could send a specially crafted packet which could result in executing malicious code on the client system when a user connects to the server.
CVE-2019-3856: Possible integer overflow in keyboard interactive handling allows out-of-bounds write. A malicious or a compromised SSH server can exploit client system by sending a value approaching unsigned int max number of keyboard prompt requests.
CVE-2019-3857: Possible integer overflow issue leads to zero-byte allocation and out-of-bounds write. A malicious server could send an SSH_MSG_CHANNEL_REQUEST packet with an exit signal message with a length of max unsigned integer value.
CVE-2019-3858: Possible zero-byte allocation leading to an out-of-bounds. Attacking server can send a specially crafted partial SFTP packet with a zero value for the payload length, allowing attackers to cause a Denial of Service or read data in the client memory.
CVE-2019-3859: Out-of-bounds reads with specially crafted payloads due to unchecked use of "_libssh2_packet_require and _libssh2_packet_requirev." A server could send a specially crafted partial packet in response to various commands such as: sha1 and sha226 key exchange, user auth list, user auth password response, allowing attackers to cause a Denial of Service or read data in the client memory.
CVE-2019-3860: Out-of-bounds reads with specially crafted SFTP packets that also lead to Denial of Service or read data in the client memory attacks.
CVE-2019-3861: Out-of-bounds reads with specially crafted SSH packets that occurs when the padding length value is greater than the packet length, resulting in the parsing of the corrupted packet.
CVE-2019-3862: An out of bounds read issue occurs when the server sends specially crafted SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload, resulting in Denial of Service or read data in the client memory.
CVE-2019-3863: Integer overflow in the user authenticated keyboard interactive allows out-of-bounds writes.
More information about these vulnerabilities can be found at: https://www.libssh2.org/security.html
Products Confirmed Not Vulnerable
No Brocade Fibre Channel technology products from Broadcom are currently known to be affected by these vulnerabilities.
Revision History
Version | Change | Date |
---|---|---|
1.0 | Initial Publication | March 21, 2019 |