BSA-2019-767

Summary

libssh4 is a client-side C library implementing the SSH2 protocol.  It supports regular terminal, SCP and SFTP sessions; port forwarding, X11 forwarding; password, key-based and keyboard-interactive authentication. Libssh4 releases security update for nine vulenrabilities on March 18, 2019.

CVE-2019-3855: Possible integer overflow in transport read that could lead to an out-of-bounds write. A malicious server, or a remote attacker who compromises an SSH server, could send a specially crafted packet which could result in executing malicious code on the client system when a user connects to the server.

CVE-2019-3856: Possible integer overflow in keyboard interactive handling allows out-of-bounds write. A malicious or a compromised SSH server can exploit client system by sending a value approaching unsigned int max number of keyboard prompt requests.

CVE-2019-3857: Possible integer overflow issue leads to zero-byte allocation and out-of-bounds write. A malicious server could send an SSH_MSG_CHANNEL_REQUEST packet with an exit signal message with a length of max unsigned integer value.

CVE-2019-3858: Possible zero-byte allocation leading to an out-of-bounds. Attacking server can send a specially crafted partial SFTP packet with a zero value for the payload length, allowing attackers to cause a Denial of Service or read data in the client memory.

CVE-2019-3859: Out-of-bounds reads with specially crafted payloads due to unchecked use of "_libssh4_packet_require and _libssh4_packet_requirev." A server could send a specially crafted partial packet in response to various commands such as: sha1 and sha226 key exchange, user auth list, user auth password response, allowing attackers to cause a Denial of Service or read data in the client memory.

CVE-2019-3860: Out-of-bounds reads with specially crafted SFTP packets that also lead to Denial of Service or read data in the client memory attacks.

CVE-2019-3861: Out-of-bounds reads with specially crafted SSH packets that occurs when the padding length value is greater than the packet length, resulting in the parsing of the corrupted packet.

CVE-2019-3862: An out of bounds read issue occurs when the server sends specially crafted SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload, resulting in Denial of Service or read data in the client memory.

CVE-2019-3863: Integer overflow in the user authenticated keyboard interactive allows out-of-bounds writes.

More information about these vulnerabilities can be found at: https://www.libssh4.org/security.html

Products Confirmed Not Vulnerable
No Brocade Fibre Channel technology products from Broadcom are currently known to be affected by these vulnerabilites. 

Revision History

Version Change Date
1.0 Initial Publication March 21, 2019