Allele Security Alert
ASA-2019-00574
Identifier(s)
ASA-2019-00574, CVE-2019-17498
Title
Out-of-bounds read when connecting to a malicious SSH server
Vendor(s)
The libssh2 project
Product(s)
libssh2
Affected version(s)
libssh2 version 1.9.0 and earlier
Fixed version(s)
libssh2 versions with the following commit applied:
packet.c: improve message parsing #402
https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94
Proof of concept
Yes
Description
There is an out-of-bounds read vulnerability, potentially leading to either denial of service or remote information disclosure. It is triggered when libssh2 is used to connect to a malicious SSH server. The overflow occurs when the SSH server sends a disconnect message, which means that the vulnerability can be triggered early in the connection process, before authentication is completed.
Technical details
The source location of the vulnerability is packet.c:480:
if(message_len < datalen-13) {
The value of datalen is untrusted because it is controlled by the remote SSH server. If datalen == 11, for example, then the subtraction will overflow and the bounds check of message_len is ineffective. message_len is a 32-bit unsigned integer that is also controlled by the remote SSH server, so this can lead to an out-of-bounds read on line 485:
language_len = _libssh2_ntohu32(data + 9 + message_len);
The out-of-bounds read will usually just cause a segmentation fault, but there is also potential for it to cause other kinds of harm in the call to LIBSSH2_DISCONNECT on line 499:
if(session->ssh_msg_disconnect) { LIBSSH2_DISCONNECT(session, reason, message, message_len, language, language_len); }
It depends on how the libssh2 library is used, because session->ssh_msg_disconnect is a callback function that is null by default, but can be set by the user of the library (by calling libssh2_session_callback_set).
Credits
Kevin Backhouse (Semmle Security Research)
Reference(s)
Another libssh2 integer overflow (CVE-2019-17498)
https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/
packet.c: improve message parsing #402
https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94
Out-of-bounds read in libssh2 (CVE-2019-17498)
https://github.com/kevinbackhouse/SecurityExploits/tree/8cbdbbe6363510f7d9ceec685373da12e6fc752d/libssh2/out_of_bounds_read_disconnect_CVE-2019-17498
CVE-2019-17498
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17498
CVE-2019-17498
https://nvd.nist.gov/vuln/detail/CVE-2019-17498
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 22, 2019