#VU19258 Integer overflow in libssh2
Vulnerability identifier: #VU19258
Vulnerability risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-190
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
libssh2
Client/Desktop applications /
Software for system administration
Vendor: libssh2.org
Description
The vulnerability allows a remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system.
The vulnerability exists due to integer overflow in the "kex_method_diffie_hellman_group_exchange_sha256_key_exchange" function in the "kex.c" file. A remote attacker can trick a victim to connect to an attacker-controlled Secure Shell (SSH) server, which would allow the attacker to send packets that submit malicious input to the targeted system, trigger integer overflow leading to an out-of-bounds write condition and execute arbitrary code or cause a DoS condition.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
libssh2: 0.1 - 1.8.2
External links
http://blog.semmle.com/libssh2-integer-overflow/
http://github.com/libssh2/libssh2/compare/02ecf17...42d37aa
http://github.com/libssh2/libssh2/pull/350
http://libssh2.org/changes.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
