Bug 1199511 (CVE-2015-1782) - CVE-2015-1782 libssh2: Using SSH_MSG_KEXINIT data unbounded
Summary: CVE-2015-1782 libssh2: Using SSH_MSG_KEXINIT data unbounded
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-1782
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.libssh2.org/adv_20150311.html
Whiteboard:
Depends On: 1226832
Blocks: 1210268 1225843
TreeView+ depends on / blocked
 
Reported: 2015-03-06 14:27 UTC by Fabio Olive Leite
Modified: 2019-10-10 09:40 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the kex_agree_methods() function of libssh2 performed a key exchange when negotiating a new SSH session. A man-in-the-middle attacker could use a crafted SSH_MSG_KEXINIT packet to crash a connecting libssh2 client.
Clone Of:
Environment:
Last Closed: 2015-11-20 05:45:22 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2140 normal SHIPPED_LIVE Low: libssh2 security and bug fix update 2015-11-19 08:17:03 UTC

Description Fabio Olive Leite 2015-03-06 14:27:32 UTC
The following issue was reported as affecting libssh2:

When negotiating a new SSH session with a remote server, one of libssh2's
functions for doing the key exchange (kex_agree_methods) was naively reading
data from the incoming packet and using it without doing sufficient range
checks. The SSH_MSG_KEXINIT packet arrives to libssh2 with a set of strings,
sent as a series of LENGTH + DATA pairs. libssh2 would go through the list and
read the LENGTH field, read the string following the LENGTH and then advance
the pointer LENGTH bytes in memory and expect to find the next LENGTH + DATA
pair there. Then move on until seven subsequent strings are taken care of. It
would naively assume that the (unsigned 32 bit) LENGTH fields were fine.

This packet arrives in the negotiating phase so the remote server has not yet
been deemed to be a known or trusted party.

A malicious attacker could man in the middle a real server and cause libssh2
using clients to crash (denial of service) or otherwise read and use
completely unintended memory areas in this process.

There are no known exploits of this flaw at this time.

Comment 2 Fabio Olive Leite 2015-03-06 14:43:09 UTC
External References:

http://www.libssh2.org/adv_20150311.html

Comment 6 Kamil Dudka 2015-03-09 13:29:04 UTC
I am adding Paul Howarth to CC as he is the maintainer of libssh2 in Fedora.

Paul, could you please take this issue into consideration when updating to latest upstream in Fedora?

According to the above information, the fix for this issue is likely going to be included in the upcoming upstream release of libssh2.  Unfortunately, I am leaving for vacation today and will mostly be offline until March 18th.

Comment 7 Paul Howarth 2015-03-09 13:40:18 UTC
I believe the upcoming release is due this coming Wednesday, 11th March.

Assuming the fix for this is included, that should address rawhide, but what about older releases (and indeed F-22)? Bump to 1.5.0 or just add the patch to the existing 1.4.3 builds?

Hope you enjoy your vacation!

Comment 9 Kamil Dudka 2015-03-09 14:01:09 UTC
(In reply to Paul Howarth from comment #7)
> Assuming the fix for this is included, that should address rawhide, but what
> about older releases (and indeed F-22)? Bump to 1.5.0 or just add the patch
> to the existing 1.4.3 builds?

It is really up to you.  I am fine with both the solutions.

> Hope you enjoy your vacation!

Will do, thanks!

Comment 10 Paul Howarth 2015-03-09 14:04:27 UTC
I'll probably just bump them all up to 1.5.0 then to pull in all the bug fixes.

Comment 13 Paul Howarth 2015-03-11 11:55:27 UTC
Just submitted updates for F-20, F-21 and F-22 but bodhi refused to add references to either this bug or CVE-2015-1782, presumably because of the issue still being private in bugzilla?

https://admin.fedoraproject.org/updates/libssh2-1.5.0-1.fc22
https://admin.fedoraproject.org/updates/libssh2-1.5.0-1.fc21
https://admin.fedoraproject.org/updates/libssh2-1.5.0-1.fc20

The upstream advisory has now moved to http://www.libssh2.org/adv_20150311.html by the way.

Comment 14 Fedora Update System 2015-03-15 10:52:37 UTC
libssh2-1.5.0-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2015-03-19 18:43:56 UTC
libssh2-1.5.0-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2015-03-30 07:12:38 UTC
libssh2-1.5.0-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 errata-xmlrpc 2015-11-19 05:21:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2140 https://rhn.redhat.com/errata/RHSA-2015-2140.html


Note You need to log in before you can comment on or make changes to this bug.