CVE-2019-13115

Published: 16 July 2019

In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.

From the Ubuntu security team

It was discovered that libssh2 incorrectly handled Diffie Hellman key exchange. A remote attacker could possibly use this issue to cause a denial of service or obtain sensitive information.

Priority

Medium

CVSS 3 base score: 8.1

Status

Package Release Status
libssh2
Launchpad, Ubuntu, Debian
Upstream
Released (1.9.0, 1.4.3-4.1+deb8u4)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(1.9.0-1)
Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: https://github.com/libssh2/libssh2/commit/ff1b155731ff8f790f12d980911d9fd84d0e1598