Allele Security Alert
ASA-2019-00597
Identifier(s)
ASA-2019-00597, CVE-2019-16905
Title
Pre-Auth XMSS Integer Overflow
Vendor(s)
The OpenBSD Project
Product(s)
OpenSSH
Affected version(s)
OpenSSH versions 7.7 through 7.9
OpenSSH versions 8.x before 8.1
Fixed version(s)
OpenSSH version 8.1
Proof of concept
Unknown
Description
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm.
Technical details
Unknown
Credits
Adam Zabrocki
Reference(s)
SSD Advisory – OpenSSH Pre-Auth XMSS Integer Overflow – SSD Secure Disclosure
https://ssd-disclosure.com/archives/4033/ssd-advisory-openssh-pre-auth-xmss-integer-overflow
oss-security – Announce: OpenSSH 8.1 released
https://www.openwall.com/lists/oss-security/2019/10/09/1
CVE-2019-16905 – OpenSSH Pre-Auth XMSS Integer Overflow
http://blog.pi3.com.pl/?p=678
Announce: OpenSSH 8.1 released
https://seclists.org/oss-sec/2019/q4/9
CVS log for src/usr.bin/ssh/sshkey-xmss.c
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c
src/usr.bin/ssh/sshkey-xmss.c – diff – 1.6
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c.diff?r1=1.5&r2=1.6&f=h
OpenSSH: Release Notes
https://www.openssh.com/releasenotes.html
CVE-2019-16905 OpenSSH Pre-Auth Integer Overflow Vulnerability in NetApp Products
https://security.netapp.com/advisory/ntap-20191024-0003/
CVE-2019-16905
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16905
CVE-2019-16905
https://nvd.nist.gov/vuln/detail/CVE-2019-16905
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 25, 2019