Bug 1749181 (CVE-2017-18594) - CVE-2017-18594 nmap: denial of service condition due to a double free when SSH connection fails
Summary: CVE-2017-18594 nmap: denial of service condition due to a double free when SS...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-18594
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1700114 1749182
Blocks: 1749184
TreeView+ depends on / blocked
 
Reported: 2019-09-05 05:49 UTC by Dhananjay Arunesh
Modified: 2021-02-16 21:24 UTC (History)
2 users (show)

Fixed In Version: nmap 7.80
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-16 10:10:33 UTC
Embargoed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-09-05 05:49:50 UTC
A vulnerability was found in nse_libssh2.cc in Nmap 7.70 is subject to a denial of service condition due to a double free when an SSH connection fails, as demonstrated by a leading \n character to ssh-brute.nse or ssh-auth-methods.nse.

Reference:
https://github.com/nmap/nmap/issues/1227
https://github.com/nmap/nmap/issues/1077
https://seclists.org/nmap-dev/2018/q2/45
https://github.com/AMatchandaHaystack/Research/blob/master/Nmap%26libsshDF
https://github.com/nmap/nmap/commit/350bbe0597d37ad67abe5fef8fba984707b4e9ad
https://seclists.org/nmap-announce/2019/0

Comment 1 Dhananjay Arunesh 2019-09-05 05:50:21 UTC
Created nmap tracking bugs for this issue:

Affects: fedora-all [bug 1749182]

Comment 2 Cedric Buissart 2019-10-16 10:10:05 UTC
Statement:

Red Hat Enterprise Linux 8 is shipped with a vulnerable version of nmap sources, however, the libssh2 module is explicitly excluded from compilation, and is thus not affected. A future update may fix the source.

Red Hat Enterprise Linux 7 and older are shipped with nmap-6.40 and older, which do not contain the libssh2 module.


Note You need to log in before you can comment on or make changes to this bug.