Libssh2, a popular open source client-side C library implementing the SSHv2 protocol, has released the latest version of its software to patch a total of nine security vulnerabilities.
The Libssh2 library is available for all major distributors of the Linux operating systems, including Ubuntu, Red Hat, Debian, and also comes bundled within some distributions and software as a default library.
According to an advisory published Monday, all the below listed vulnerabilities that were patched with the release of libssh2 version 1.8.1 lead to memory corruption issues which could result in arbitrary code execution on a client system in certain circumstances.
Here’s the list of security vulnerabilities patched in Libssh:
1. CVE-2019-3855: Possible integer overflow in transport read that could lead to an out-of-bounds write. A malicious server, or a remote attacker who compromises an SSH server, could send a specially crafted packet which could result in executing malicious code on the client system when a user connects to the server.
2. CVE-2019-3856: Possible integer overflow in keyboard interactive handling allows out-of-bounds write. A malicious or a compromised SSH server can exploit client system by sending a value approaching unsigned int max number of keyboard prompt requests.
3. CVE-2019-3857: Possible integer overflow issue leads to zero-byte allocation and out-of-bounds write. A malicious server could send an SSH_MSG_CHANNEL_REQUEST packet with an exit signal message with a length of max unsigned integer value.
4. CVE-2019-3858: Possible zero-byte allocation leading to an out-of-bounds. Attacking server can send a specially crafted partial SFTP packet with a zero value for the payload length, allowing attackers to cause a Denial of Service or read data in the client memory.
5. CVE-2019-3859: Out-of-bounds reads with specially crafted payloads due to unchecked use of “_libssh2_packet_require and _libssh2_packet_requirev.” A server could send a specially crafted partial packet in response to various commands such as: sha1 and sha226 key exchange, user auth list, user auth password response, allowing attackers to cause a Denial of Service or read data in the client memory.
6. CVE-2019-3860: Out-of-bounds reads with specially crafted SFTP packets that also lead to Denial of Service or read data in the client memory attacks.
images from Hacker News