5
CVSSv2

CVE-2015-3146

Published: 13/04/2016 Updated: 20/04/2016
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

The (1) SSH_MSG_NEWKEYS and (2) SSH_MSG_KEXDH_REPLY packet handlers in package_cb.c in libssh prior to 0.6.5 do not properly validate state, which allows remote malicious users to cause a denial of service (NULL pointer dereference and crash) via a crafted SSH packet.

Affected Products

Vendor Product Versions
LibsshLibssh0.6.4
CanonicalUbuntu Linux12.04, 14.04, 15.10
DebianDebian Linux7.0, 8.0
FedoraprojectFedora21, 22

Vendor Advisories

Several security issues were fixed in libssh ...
Debian Bug report logs - #784404 libssh: CVE-2015-3146: null pointer dereference due to a logical error in the handling of a SSH_MSG_NEWKEYS and KEXDH_REPLY packets Package: src:libssh; Maintainer for src:libssh is Laurent Bigonville <bigon@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, ...
The (1) SSH_MSG_NEWKEYS and (2) SSH_MSG_KEXDH_REPLY packet handlers in package_cbc in libssh before 065 do not properly validate state, which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted SSH packet ...
Aris Adamantiadis discovered that libssh, a tiny C SSH library, incorrectly generated a short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods The resulting secret is 128 bits long, instead of the recommended sizes of 1024 and 2048 bits respectively This flaw could allow an eavesdropper with enough re ...

Github Repositories