cnvd - cnvd-2021-71262

cnvd-2021-71262

Vulnerability from cnvd

Title: libssh缓冲区溢出漏洞（CNVD-2021-71262）

Description:

Libssh是Libssh组织的一个用于访问SSH服务的C语言开发包，它能够执行远程命令、文件传输，同时为远程的程序提供安全的传输通道。

libssh存在缓冲区溢出漏洞，该漏洞源于libssh 允许在密钥重新交换操作中改变密钥交换方法。改变密钥交换方法时，如果采用不同长度的 hash ，将会导致缓冲区错误。目前没有详细的漏洞细节提供。

Severity: 中

Patch Name: libssh缓冲区溢出漏洞（CNVD-2021-71262）的补丁

Patch Description:

Libssh是Libssh组织的一个用于访问SSH服务的C语言开发包，它能够执行远程命令、文件传输，同时为远程的程序提供安全的传输通道。

libssh存在缓冲区溢出漏洞，该漏洞源于libssh 允许在密钥重新交换操作中改变密钥交换方法。改变密钥交换方法时，如果采用不同长度的 hash ，将会导致缓冲区错误。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.libssh.org/2021/08/26/libssh-0-9-6-security-release/

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-3634

Impacted products

Name
libssh libssh

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-3634"
    }
  },
  "description": "Libssh\u662fLibssh\u7ec4\u7ec7\u7684\u4e00\u4e2a\u7528\u4e8e\u8bbf\u95eeSSH\u670d\u52a1\u7684C\u8bed\u8a00\u5f00\u53d1\u5305\uff0c\u5b83\u80fd\u591f\u6267\u884c\u8fdc\u7a0b\u547d\u4ee4\u3001\u6587\u4ef6\u4f20\u8f93\uff0c\u540c\u65f6\u4e3a\u8fdc\u7a0b\u7684\u7a0b\u5e8f\u63d0\u4f9b\u5b89\u5168\u7684\u4f20\u8f93\u901a\u9053\u3002\n\nlibssh\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8elibssh \u5141\u8bb8\u5728\u5bc6\u94a5\u91cd\u65b0\u4ea4\u6362\u64cd\u4f5c\u4e2d\u6539\u53d8\u5bc6\u94a5\u4ea4\u6362\u65b9\u6cd5\u3002\u6539\u53d8\u5bc6\u94a5\u4ea4\u6362\u65b9\u6cd5\u65f6\uff0c\u5982\u679c\u91c7\u7528\u4e0d\u540c\u957f\u5ea6\u7684 hash \uff0c\u5c06\u4f1a\u5bfc\u81f4\u7f13\u51b2\u533a\u9519\u8bef\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.libssh.org/2021/08/26/libssh-0-9-6-security-release/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-71262",
  "openTime": "2021-09-15",
  "patchDescription": "Libssh\u662fLibssh\u7ec4\u7ec7\u7684\u4e00\u4e2a\u7528\u4e8e\u8bbf\u95eeSSH\u670d\u52a1\u7684C\u8bed\u8a00\u5f00\u53d1\u5305\uff0c\u5b83\u80fd\u591f\u6267\u884c\u8fdc\u7a0b\u547d\u4ee4\u3001\u6587\u4ef6\u4f20\u8f93\uff0c\u540c\u65f6\u4e3a\u8fdc\u7a0b\u7684\u7a0b\u5e8f\u63d0\u4f9b\u5b89\u5168\u7684\u4f20\u8f93\u901a\u9053\u3002\r\n\r\nlibssh\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8elibssh \u5141\u8bb8\u5728\u5bc6\u94a5\u91cd\u65b0\u4ea4\u6362\u64cd\u4f5c\u4e2d\u6539\u53d8\u5bc6\u94a5\u4ea4\u6362\u65b9\u6cd5\u3002\u6539\u53d8\u5bc6\u94a5\u4ea4\u6362\u65b9\u6cd5\u65f6\uff0c\u5982\u679c\u91c7\u7528\u4e0d\u540c\u957f\u5ea6\u7684 hash \uff0c\u5c06\u4f1a\u5bfc\u81f4\u7f13\u51b2\u533a\u9519\u8bef\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "libssh\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff08CNVD-2021-71262\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "libssh libssh"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-3634",
  "serverity": "\u4e2d",
  "submitTime": "2021-09-02",
  "title": "libssh\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff08CNVD-2021-71262\uff09"
}

CVE-2021-3634 (GCVE-0-2021-3634)

Vulnerability from cvelistv5

Published

2021-08-31 00:00

Modified

2024-08-03 17:01

Severity ?

CWE

CWE-787

Summary

A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange.

References

▼	URL	Tags
	https://bugzilla.redhat.com/show_bug.cgi?id=1978810
	https://www.debian.org/security/2021/dsa-4965	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVWAAB2XMKEUMPMDALINKAA4U2QM4LNG/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKYD3ZRAMDAQX3ZW6THHUF3GXN7FF6B4/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DRK67AJCWYYVAGF5SGAHNZXCX3PN3ZFP/	vendor-advisory
	https://www.oracle.com/security-alerts/cpujan2022.html
	https://security.netapp.com/advisory/ntap-20211004-0003/
	https://security.gentoo.org/glsa/202312-05	vendor-advisory

Impacted products

	Vendor	Product	Version
	n/a	libssh	Version: libssh 0.9.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:01:07.562Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1978810"
          },
          {
            "name": "DSA-4965",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4965"
          },
          {
            "name": "FEDORA-2021-ec797b6a96",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVWAAB2XMKEUMPMDALINKAA4U2QM4LNG/"
          },
          {
            "name": "FEDORA-2021-288925ac19",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKYD3ZRAMDAQX3ZW6THHUF3GXN7FF6B4/"
          },
          {
            "name": "FEDORA-2021-f2a020a065",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DRK67AJCWYYVAGF5SGAHNZXCX3PN3ZFP/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20211004-0003/"
          },
          {
            "name": "GLSA-202312-05",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202312-05"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "libssh",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "libssh 0.9.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating \"secret_hash\" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-22T10:06:14.732204",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1978810"
        },
        {
          "name": "DSA-4965",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4965"
        },
        {
          "name": "FEDORA-2021-ec797b6a96",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVWAAB2XMKEUMPMDALINKAA4U2QM4LNG/"
        },
        {
          "name": "FEDORA-2021-288925ac19",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKYD3ZRAMDAQX3ZW6THHUF3GXN7FF6B4/"
        },
        {
          "name": "FEDORA-2021-f2a020a065",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DRK67AJCWYYVAGF5SGAHNZXCX3PN3ZFP/"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20211004-0003/"
        },
        {
          "name": "GLSA-202312-05",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202312-05"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-3634",
    "datePublished": "2021-08-31T00:00:00",
    "dateReserved": "2021-07-02T00:00:00",
    "dateUpdated": "2024-08-03T17:01:07.562Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted