Bug 1146020 (CVE-2014-6603)

Summary: CVE-2014-6603 suricata: out-of-bounds access in SSH parser
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: athmanem, carnil, sgrubb
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: suricata 2.0.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-21 23:14:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1146021    
Bug Blocks:    

Description Vasyl Kaigorodov 2014-09-24 10:09:34 UTC 
It was reported [1] that the application parser for SSH integrated in Suricata contains a flaw that might lead to an out-of-bounds access. For this reason a Denial of Service towards the Suricata monitoring software might be possible using crafted packets on the monitoring interface.

The application parser for SSH (src/app-layer-ssh.c) contains a function SSHParseBanner. In case the parsed buffer is either


"SSH-2.0\r-MySSHClient-0.5.1\n"

or

"SSH-2.0-\rMySSHClient-0.5.1\n"

the function will behave in the wrong way and attempt either a very big memory allocation or an out of bounds array access with negative index, which also might lead to out-of-bounds write access under certain conditions. The problem is caused due to the fact that the end of the banner and start of the software version are computed independently.

More information: http://suricata-ids.org/2014/09/23/suricata-2-0-4-available/

[1]: http://seclists.org/fulldisclosure/2014/Sep/79
Comment 1 Vasyl Kaigorodov 2014-09-24 10:09:52 UTC 
Created suricata tracking bugs for this issue:

Affects: fedora-all [bug 1146021]
Comment 2 Fedora Update System 2014-10-04 03:26:02 UTC 
suricata-2.0.4-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.