CVE-2023-6918
Published: 19 December 2023
A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
libssh Launchpad, Ubuntu, Debian |
bionic |
Released
(0.8.0~20170825.94fa1e38-1ubuntu0.7+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
| focal |
Released
(0.9.3-2ubuntu2.5)
|
|
| jammy |
Released
(0.9.6-2ubuntu0.22.04.3)
|
|
| lunar |
Released
(0.10.4-2ubuntu0.3)
|
|
| mantic |
Released
(0.10.5-3ubuntu1.2)
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Released
(0.10.6-1)
|
|
| xenial |
Released
(0.6.3-4.3ubuntu0.6+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
|
Patches: upstream: https://gitlab.com/libssh/libssh-mirror/-/commit/610d7a09f99c601224ae2aa3d3de7e75b1d284dd upstream: https://gitlab.com/libssh/libssh-mirror/-/commit/63ff242131c8e6d98917456f71f6d33b9ef3a763 upstream: https://gitlab.com/libssh/libssh-mirror/-/commit/8b66d037d575e5f3ce4d35964547ff8c7e75ff8e upstream: https://gitlab.com/libssh/libssh-mirror/-/commit/8977e246b6d7ae467cab008a49e0a9e3d84bc2a0 upstream: https://gitlab.com/libssh/libssh-mirror/-/commit/622421018b58392ffecc29726b947e089b678221 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
References
- https://access.redhat.com/security/cve/CVE-2023-6918
- https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/
- https://www.libssh.org/security/advisories/CVE-2023-6918.txt
- https://ubuntu.com/security/notices/USN-6592-1
- https://ubuntu.com/security/notices/USN-6592-2
- https://www.cve.org/CVERecord?id=CVE-2023-6918
- NVD
- Launchpad
- Debian