CVE-2019-17498

Published: 21 October 2019

In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

From the Ubuntu Security Team

It was discovered that libssh2 incorrectly handled bound checks in SSH_MSG_DISCONNECT. A remote attacker could possibly use this issue to cause a denial of service or obtain sensitive information.

Priority

Cvss 3 Severity Score

8.1

Score breakdown

Status

Package	Release	Status
libssh2 Launchpad, Ubuntu, Debian	bionic	Needed
	disco	Ignored (reached end-of-life)
	eoan	Ignored (reached end-of-life)
	focal	Needed
	groovy	Ignored (reached end-of-life)
	hirsute	Not vulnerable (1.9.0-1)
	impish	Not vulnerable (1.9.0-1)
	jammy	Not vulnerable (1.9.0-1)
	kinetic	Not vulnerable (1.9.0-1)
	precise	Does not exist
	trusty	Released (1.4.3-2ubuntu0.2+esm2)
	upstream	Released (1.9.0-1, 1.4.3-4.1+deb8u6)
	xenial	Released (1.5.0-2ubuntu0.1+esm1)
	Patches: upstream: https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94

Severity score breakdown

Parameter	Value
Base score	8.1
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	High
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›