Bug 1862456 (CVE-2020-16135)

Summary: CVE-2020-16135 libssh: NULL pointer dereference in sftpserver.c if ssh_buffer_new returns NULL
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ansasaki, asn, dfediuck, djuran, eedri, erik-fedora, fidencio, kdudka, kyoshida, marcandre.lureau, mgoldboi, michal.skrivanek, mike, mpitt, negativo17, paul, rdieter, redhat-bugzilla, rjones, sahana, sbonazzo, sherold
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libssh. A NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 17:19:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1862457, 1862646, 1862647, 1873005    
Bug Blocks: 1862459    

Description Marian Rehak 2020-07-31 13:34:14 UTC 
libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.

External Reference:

https://bugs.gentoo.org/734624
Comment 1 Marian Rehak 2020-07-31 13:34:40 UTC 
Created libssh tracking bugs for this issue:

Affects: fedora-all [bug 1862457]
Comment 2 Todd Cullum 2020-07-31 20:39:38 UTC 
Flaw summary:

In sftp_get_client_message() of sftpserver.c, there is code msg->complete_message = ssh_buffer_new();. There is no check for msg->complete_message being NULL and it is immediately passed into ssh_buffer_add_data() and then buffer_verify(), which will cause a NULL pointer dereference in the case where ssh_buffer_new() returned NULL. ssh_buffer_new() could return NULL if either calloc() or ssh_buffer_allocate_size() (which in some cases calls realloc()) fails an allocation in libssh-0.9.0 which is shipped with Red Hat Enterprise Linux 8.

The flaw exists in libssh-0.7.1 as shipped with Red Hat Enterprise Linux 7 Extras channel, but the code is slightly different: ssh_buffer_new() calls malloc() instead of calloc() and does not call ssh_buffer_allocate_size(), so the flaw would rely solely on malloc() failing/returning NULL in libssh-0.7.1.

This flaw could cause a crash in the sftpserver. However, because the allocations are based off of sizeof(struct ssh_buffer_struct) or a hardcoded size in malloc(), realloc() & calloc() calls, instead of externally provided input, there is no direct attacker-controlled code path to remotely trigger a NULL pointer dereference in this case.
Comment 3 Todd Cullum 2020-07-31 21:46:14 UTC 
Upstream patches:

https://gitlab.com/libssh/libssh-mirror/-/commit/533d881b0f4b24c72b35ecc97fa35d295d063e53
https://gitlab.com/libssh/libssh-mirror/-/commit/2782cb0495b7450bd8fe43ce4af886b66fea6c40
https://gitlab.com/libssh/libssh-mirror/-/commit/10b3ebbe61a7031a3dae97f05834442220447181
https://gitlab.com/libssh/libssh-mirror/-/commit/245ad744b5ab0582fef7cf3905a717b791d7e08b
Comment 4 Todd Cullum 2020-07-31 22:05:11 UTC 
Upstream bug tracker: https://bugs.libssh.org/T232
Merge request: https://gitlab.com/libssh/libssh-mirror/-/merge_requests/120

I've lowered the impact Low because there is no demonstrated way for an attacker to reliably force a NULL pointer dereference via a code path here. An attacker would likely need to groom the system via other means or exploitation of other flaws, in order to create conditions that would cause an allocation failure.
Comment 6 Todd Cullum 2020-07-31 22:12:12 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 7 Todd Cullum 2020-07-31 22:14:47 UTC 
NOTE: this flaw exists in the file sftpserver.c, not tftpserver.c. tfpserver.c does not exist in libssh and it appears to be a typo which propagated across all of the advisories, trackers, CVE, etc...
Comment 11 Todd Cullum 2020-08-06 03:18:32 UTC 
Statement:

libssh2 as shipped with Red Hat Enterprise Linux 6, 7, and 8 are NOT affected by this flaw; libssh2 and libssh are different codebases and libssh2 does not contain the vulnerable code. Red Hat Product Security has set the impact of this flaw to Low because there is no demonstrated way for an attacker to reliably force a NULL pointer dereference via a code path in the affected libssh code.
Comment 16 errata-xmlrpc 2021-11-09 18:34:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4387 https://access.redhat.com/errata/RHSA-2021:4387
Comment 17 errata-xmlrpc 2021-11-19 19:21:44 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:4750 https://access.redhat.com/errata/RHSA-2021:4750