There is an out-of-bounds read vulnerability, potentially leading to either denial of service or remote information disclosure. It is triggered when libssh2 is used to connect to a malicious SSH server. The overflow occurs when the SSH server sends a disconnect message, which means that the vulnerability can be triggered early in the connection process, before authentication is completed.
Tag: Out-Of-Bounds Read
ASA-2019-00547 – VMware: Out-of-bounds read/write vulnerabilities on virtual machine with 3D graphics enabled
VMware ESXi, Workstation and Fusion contain out-of-bounds read/write vulnerabilities in the pixel shader functionality. Exploitation of these issues require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion. Successful exploitation of the out-of-bounds read issue (CVE-2019-5521) may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on the host. The out-of-bounds write issue (CVE-2019-5684) can be exploited only if the host has an affected NVIDIA graphics driver. Successful exploitation of this issue may lead to code execution on the host.
ASA-2019-00526 – wolfSSL wolfCrypt: Out-of-bounds read in GetLength_ex()
wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCertExtensions() and DecodeOcspRespExtensions() in wolfcrypt/src/asn.c because reading the ASN_BOOLEAN byte is mishandled for a crafted DER certificate in GetLength_ex().
ASA-2019-00509 – FreeBSD: Insufficient message length validation in bsnmp library
A function extracting the length from type-length-value encoding is not properly validating the submitted length. A remote user could cause, for example, an out-of-bounds read, decoding of unrelated data, or trigger a crash of the software such as bsnmpd resulting in a denial of service.
ASA-2019-00508 – FreeBSD: ICMPv6 / MLDv2 out-of-bounds memory access
The ICMPv6 input path incorrectly handles cases where an MLDv2 listener query packet is internally fragmented across multiple mbufs. A remote attacker may be able to cause an out-of-bounds read or write that may cause the kernel to attempt to access an unmapped page and subsequently panic.
ASA-2019-00484 – Das U-Boot: Read out-of-bound data at nfs_read_reply()
There is a read of out-of-bounds data at nfs_read_reply().
ASA-2019-00471 – FreeBSD: Bhyve out-of-bounds read in XHCI device
The pci_xhci_device_doorbell() function does not validate the 'epid' and 'streamid' provided by the guest, leading to an out-of-bounds read. A misbehaving bhyve guest could crash the system or access memory that it should not be able to.
ASA-2019-00463 – libssh2: Out-of-bounds read leading to information disclosure
In libssh2 before 1.9.0, the function kex_method_diffie_hellman_group_exchange_sha256 _key_exchange() in the file kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.