Bug 1146020 (CVE-2014-6603) - CVE-2014-6603 suricata: out-of-bounds access in SSH parser
Summary: CVE-2014-6603 suricata: out-of-bounds access in SSH parser
Status: CLOSED ERRATA
Alias: CVE-2014-6603
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20140923,reported=2...
Keywords: Security
Depends On: 1146021
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-09-24 10:09 UTC by Vasyl Kaigorodov
Modified: 2015-08-21 23:14 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-08-21 23:14:35 UTC


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2014-09-24 10:09:34 UTC
It was reported [1] that the application parser for SSH integrated in Suricata contains a flaw that might lead to an out-of-bounds access. For this reason a Denial of Service towards the Suricata monitoring software might be possible using crafted packets on the monitoring interface.

The application parser for SSH (src/app-layer-ssh.c) contains a function SSHParseBanner. In case the parsed buffer is either


"SSH-2.0\r-MySSHClient-0.5.1\n"

or

"SSH-2.0-\rMySSHClient-0.5.1\n"

the function will behave in the wrong way and attempt either a very big memory allocation or an out of bounds array access with negative index, which also might lead to out-of-bounds write access under certain conditions. The problem is caused due to the fact that the end of the banner and start of the software version are computed independently.

More information: http://suricata-ids.org/2014/09/23/suricata-2-0-4-available/

[1]: http://seclists.org/fulldisclosure/2014/Sep/79

Comment 1 Vasyl Kaigorodov 2014-09-24 10:09:52 UTC
Created suricata tracking bugs for this issue:

Affects: fedora-all [bug 1146021]

Comment 2 Fedora Update System 2014-10-04 03:26:02 UTC
suricata-2.0.4-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.