CVE-2019-13115

Description

In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.

CVSS Metrics

• v3.1•HIGH•Score: 8.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
• v2.0•MEDIUM•Score: 5.8AV:N/AC:M/Au:N/C:P/I:N/A:P

EPSS Trends

Current EPSS score: 42.40%• Percentile: 98%

Techniques & Countermeasures

• CWE-125•Out-of-bounds Read

  The product reads data past the end, or before the beginning, of the intended buffer.

• CWE-190•Integer Overflow or Wraparound

  The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Affected Systems

• debian•debian_linux

  8.0 | 9.0

• f5•traffix_systems_signaling_delivery_controller

  ≥ 5.0.0, ≤ 5.1.0

• fedoraproject•fedora

  29 | 30

• libssh2•libssh2

  < 1.9.0

• netapp•cloud_backup

  na

• netapp•e-series_santricity_os_controller

  ≥ 11.0.0, ≤ 11.70.1

• netapp•ontap_select_deploy_administration_utility

  na

References (15)

• https://github.com/libssh2/libssh2/pull/350
• https://libssh2.org/changes.html
• https://github.com/libssh2/libssh2/compare/02ecf17...42d37aa
• https://blog.semmle.com/libssh2-integer-overflow/
• https://lists.debian.org/debian-lts-announce/2019/07/msg00024.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6LUNHPW64IGCASZ4JQ2J5KDXNZN53DWW/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M7IF3LNHOA75O4WZWIHJLIRMA5LJUED3/
• https://security.netapp.com/advisory/ntap-20190806-0002/
• https://support.f5.com/csp/article/K13322484
• https://support.f5.com/csp/article/K13322484?utm_source=f5support&amp%3Butm_medium=RSS
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2021/12/msg00013.html
• http://packetstormsecurity.com/files/172834/libssh2-1.8.2-Out-Of-Bounds-Read.html
• https://lists.debian.org/debian-lts-announce/2023/09/msg00006.html