CVE-2019-17498

Name
CVE-2019-17498
Description
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Exploit https://github.com/kevinbackhouse/SecurityExploits/tree/8cbdbbe6363510f7d9ceec685373da12e6fc752d/libssh2/out_of_bounds_read_disconnect_CVE-2019-17498
Exploit https://github.com/libssh2/libssh2/blob/42d37aa63129a1b2644bf6495198923534322d64/src/packet.c#L480
Exploit https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY7EEE34RFKCTXTMBQQWWSLXZWSCXNDB/
Third Party Advisory http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00026.html
Third Party Advisory https://lists.debian.org/debian-lts-announce/2019/11/msg00010.html
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22H4Q5XMGS3QNSA7OCL3U7UQZ4NXMR5O/
Patch https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:* libssh2 >= None <= 1.9.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
libssh2 edge-main 1.9.0-r2 Natanael Copa <ncopa@alpinelinux.org> fixed
libssh2 edge-main 1.9.0-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
libssh2 edge-main 1.9.0-r0 None possibly vulnerable
libssh2 edge-main 1.8.1-r0 None possibly vulnerable
libssh2 3.22-main 1.9.0-r1 None fixed
libssh2 3.22-main 1.9.0-r0 None possibly vulnerable
libssh2 3.22-main 1.8.1-r0 None possibly vulnerable
libssh2 3.21-main 1.9.0-r1 None fixed
libssh2 3.21-main 1.9.0-r0 None possibly vulnerable
libssh2 3.21-main 1.8.1-r0 None possibly vulnerable
libssh2 3.20-main 1.9.0-r1 None fixed
libssh2 3.20-main 1.9.0-r0 None possibly vulnerable
libssh2 3.20-main 1.8.1-r0 None possibly vulnerable
libssh2 3.19-main 1.9.0-r1 None fixed
libssh2 3.19-main 1.9.0-r0 None possibly vulnerable
libssh2 3.19-main 1.8.1-r0 None possibly vulnerable
libssh2 3.18-main 1.9.0-r1 None fixed
libssh2 3.17-main 1.9.0-r1 None fixed
libssh2 3.12-main 1.9.0-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
libssh2 3.11-main 1.9.0-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
libssh2 3.10-main 1.9.0-r1 Natanael Copa <ncopa@alpinelinux.org> fixed