var-201910-0984
Vulnerability from variot
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH. OpenSSH Contains an integer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201911-01
https://security.gentoo.org/
Severity: Normal Title: OpenSSH: Integer overflow Date: November 07, 2019 Bugs: #697046 ID: 201911-01
Synopsis
An integer overflow in OpenSSH might allow an attacker to execute arbitrary code.
Background
OpenSSH is a complete SSH protocol implementation that includes SFTP client and server support.
NOTE: This USE flag is disabled by default!
Impact
A remote attacker could connect to a vulnerable OpenSSH server using a special crafted XMSS key possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.
Workaround
Disable XMSS key type.
Resolution
All OpenSSH users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot -v ">=net-misc/openssh/openssh-8.0_p1-r4"
References
[ 1 ] CVE-2019-16905 https://nvd.nist.gov/vuln/detail/CVE-2019-16905
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201911-01
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-201910-0984", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "steelstore cloud integrated storage", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "openssh", "scope": "gte", "trust": 1.0, "vendor": "openbsd", "version": "7.7" }, { "model": "scalance x204rna", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "3.2.7" }, { "model": "openssh", "scope": "gte", "trust": 1.0, "vendor": "openbsd", "version": "8.0" }, { "model": "cloud backup", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "openssh", "scope": "lte", "trust": 1.0, "vendor": "openbsd", "version": "7.9" }, { "model": "openssh", "scope": "lt", "trust": 1.0, "vendor": "openbsd", "version": "8.1" }, { "model": "scalance x204rna ecc", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "3.2.7" }, { "model": "openssh", "scope": "eq", "trust": 0.8, "vendor": "openbsd", "version": "8.1" }, { "model": "openssh", "scope": "eq", "trust": 0.8, "vendor": "openbsd", "version": "7.7 to 7.9" }, { "model": "openssh", "scope": "lt", "trust": 0.8, "vendor": "openbsd", "version": "8.x" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2019-010763" }, { "db": "NVD", "id": "CVE-2019-16905" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "cpe_match": [ { "cpe22Uri": "cpe:/a:openbsd:openssh", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2019-010763" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Gentoo", "sources": [ { "db": "PACKETSTORM", "id": "155205" }, { "db": "CNNVD", "id": "CNNVD-201910-599" } ], "trust": 0.7 }, "cve": "CVE-2019-16905", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "author": "nvd@nist.gov", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 3.4, "id": "CVE-2019-16905", "impactScore": 6.4, "integrityImpact": "PARTIAL", "severity": "MEDIUM", "trust": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "LOCAL", "author": "nvd@nist.gov", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 1.8, "id": "CVE-2019-16905", "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Local", "author": "NVD", "availabilityImpact": "High", "baseScore": 7.8, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2019-16905", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "nvd@nist.gov", "id": "CVE-2019-16905", "trust": 1.0, "value": "HIGH" }, { "author": "NVD", "id": "CVE-2019-16905", "trust": 0.8, "value": "High" }, { "author": "CNNVD", "id": "CNNVD-201910-599", "trust": 0.6, "value": "HIGH" }, { "author": "VULMON", "id": "CVE-2019-16905", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "VULMON", "id": "CVE-2019-16905" }, { "db": "JVNDB", "id": "JVNDB-2019-010763" }, { "db": "CNNVD", "id": "CNNVD-201910-599" }, { "db": "NVD", "id": "CVE-2019-16905" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH. OpenSSH Contains an integer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 201911-01\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: OpenSSH: Integer overflow\n Date: November 07, 2019\n Bugs: #697046\n ID: 201911-01\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nAn integer overflow in OpenSSH might allow an attacker to execute\narbitrary code. \n\nBackground\n==========\n\nOpenSSH is a complete SSH protocol implementation that includes SFTP\nclient and server support. \n\nNOTE: This USE flag is disabled by default!\n\nImpact\n======\n\nA remote attacker could connect to a vulnerable OpenSSH server using a\nspecial crafted XMSS key possibly resulting in execution of arbitrary\ncode with the privileges of the process or a Denial of Service\ncondition. \n\nWorkaround\n==========\n\nDisable XMSS key type. \n\nResolution\n==========\n\nAll OpenSSH users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot -v \"\u003e=net-misc/openssh/openssh-8.0_p1-r4\"\n\nReferences\n==========\n\n[ 1 ] CVE-2019-16905\n https://nvd.nist.gov/vuln/detail/CVE-2019-16905\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/201911-01\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2019 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n", "sources": [ { "db": "NVD", "id": "CVE-2019-16905" }, { "db": "JVNDB", "id": "JVNDB-2019-010763" }, { "db": "VULMON", "id": "CVE-2019-16905" }, { "db": "PACKETSTORM", "id": "155205" } ], "trust": 1.8 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2019-16905", "trust": 2.6 }, { "db": "SIEMENS", "id": "SSA-412672", "trust": 1.7 }, { "db": "OPENWALL", "id": "OSS-SECURITY/2019/10/09/1", "trust": 1.7 }, { "db": "JVNDB", "id": "JVNDB-2019-010763", "trust": 0.8 }, { "db": "PACKETSTORM", "id": "155205", "trust": 0.7 }, { "db": "CNNVD", "id": "CNNVD-201910-599", "trust": 0.6 }, { "db": "ICS CERT", "id": "ICSA-22-349-21", "trust": 0.1 }, { "db": "VULMON", "id": "CVE-2019-16905", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2019-16905" }, { "db": "JVNDB", "id": "JVNDB-2019-010763" }, { "db": "PACKETSTORM", "id": "155205" }, { "db": "CNNVD", "id": "CNNVD-201910-599" }, { "db": "NVD", "id": "CVE-2019-16905" } ] }, "id": "VAR-201910-0984", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.5566514 }, "last_update_date": "2024-11-23T20:11:41.360000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "CVS log for src/usr.bin/ssh/sshkey-xmss.c", "trust": 0.8, "url": "https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c" }, { "title": "Diff for /src/usr.bin/ssh/sshkey-xmss.c between version 1.5 and 1.6", "trust": 0.8, "url": "https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c.diff?r1=1.5\u0026r2=1.6\u0026f=h" }, { "title": "Release Notes", "trust": 0.8, "url": "https://www.openssh.com/releasenotes.html" }, { "title": "OpenSSH Enter the fix for the verification error vulnerability", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=99243" }, { "title": "Siemens Security Advisories: Siemens Security Advisory", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories\u0026qid=ec6577109e640dac19a6ddb978afe82d" }, { "title": "", "trust": 0.1, "url": "https://github.com/Live-Hack-CVE/CVE-2019-16905 " }, { "title": "git-and-crumpets", "trust": 0.1, "url": "https://github.com/siddicky/git-and-crumpets " } ], "sources": [ { "db": "VULMON", "id": "CVE-2019-16905" }, { "db": "JVNDB", "id": "JVNDB-2019-010763" }, { "db": "CNNVD", "id": "CNNVD-201910-599" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-190", "trust": 1.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2019-010763" }, { "db": "NVD", "id": "CVE-2019-16905" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.8, "url": "https://security.gentoo.org/glsa/201911-01" }, { "trust": 1.7, "url": "https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c.diff?r1=1.5\u0026r2=1.6\u0026f=h" }, { "trust": 1.7, "url": "https://www.openwall.com/lists/oss-security/2019/10/09/1" }, { "trust": 1.7, "url": "https://www.openssh.com/releasenotes.html" }, { "trust": 1.7, "url": "https://bugzilla.suse.com/show_bug.cgi?id=1153537" }, { "trust": 1.7, "url": "https://0day.life/exploits/0day-1009.html" }, { "trust": 1.7, "url": "https://ssd-disclosure.com/archives/4033/ssd-advisory-openssh-pre-auth-xmss-integer-overflow" }, { "trust": 1.7, "url": "https://security.netapp.com/advisory/ntap-20191024-0003/" }, { "trust": 1.7, "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf" }, { "trust": 1.5, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-16905" }, { "trust": 1.1, "url": "https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c" }, { "trust": 0.8, "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-16905" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/1143460" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/155205/gentoo-linux-security-advisory-201911-01.html" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/190.html" }, { "trust": 0.1, "url": "https://github.com/live-hack-cve/cve-2019-16905" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/110605" }, { "trust": 0.1, "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-349-21" }, { "trust": 0.1, "url": "https://creativecommons.org/licenses/by-sa/2.5" }, { "trust": 0.1, "url": "https://security.gentoo.org/" }, { "trust": 0.1, "url": "https://bugs.gentoo.org." } ], "sources": [ { "db": "VULMON", "id": "CVE-2019-16905" }, { "db": "JVNDB", "id": "JVNDB-2019-010763" }, { "db": "PACKETSTORM", "id": "155205" }, { "db": "CNNVD", "id": "CNNVD-201910-599" }, { "db": "NVD", "id": "CVE-2019-16905" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2019-16905" }, { "db": "JVNDB", "id": "JVNDB-2019-010763" }, { "db": "PACKETSTORM", "id": "155205" }, { "db": "CNNVD", "id": "CNNVD-201910-599" }, { "db": "NVD", "id": "CVE-2019-16905" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2019-10-09T00:00:00", "db": "VULMON", "id": "CVE-2019-16905" }, { "date": "2019-10-23T00:00:00", "db": "JVNDB", "id": "JVNDB-2019-010763" }, { "date": "2019-11-08T15:36:32", "db": "PACKETSTORM", "id": "155205" }, { "date": "2019-10-09T00:00:00", "db": "CNNVD", "id": "CNNVD-201910-599" }, { "date": "2019-10-09T20:15:23.503000", "db": "NVD", "id": "CVE-2019-16905" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-01T00:00:00", "db": "VULMON", "id": "CVE-2019-16905" }, { "date": "2019-10-23T00:00:00", "db": "JVNDB", "id": "JVNDB-2019-010763" }, { "date": "2022-12-14T00:00:00", "db": "CNNVD", "id": "CNNVD-201910-599" }, { "date": "2024-11-21T04:31:18.910000", "db": "NVD", "id": "CVE-2019-16905" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "local", "sources": [ { "db": "CNNVD", "id": "CNNVD-201910-599" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "OpenSSH Integer overflow vulnerability", "sources": [ { "db": "JVNDB", "id": "JVNDB-2019-010763" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "input validation error", "sources": [ { "db": "CNNVD", "id": "CNNVD-201910-599" } ], "trust": 0.6 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.