=========================================================== == Subject: Possible heap-buffer overflow when rekeying == == CVE ID#: CVE-2021-3634 == == Versions: 0.9.1 - 0.9.5 == == Summary: A malicious attacker can request rekey with == key exchange algorithm with digest of == different size, causing libssh reading or == writing behind the buffer limits. == =========================================================== =========== Description =========== The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called `secret_hash` and and the other `session_id`. Initially, both of them are the same, but after key re-exchange, previous `session_id` is kept and used as an input to new `secret_hash`. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating `secret_hash` of different size than the `session_id` has. This becomes an issue when the `session_id` memory is zeroized or when it is used again during second key re-exchange. ================== Patch Availability ================== Patches addressing the issues have been posted to: https://www.libssh.org/security/ Additionally, libssh 1.9.6 have been issued as security release to correct the defect. SSH administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L/ (5.3) ========== Workaround ========== The rekeying is part of SSH protocol and can be issued by either of the peers. The only temporary workaround is to enable key exchange algorithms with the same digest size, for example for SHA256: rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_KEY_EXCHANGE, "diffie-hellman-group14-sha256,curve25519-sha256,ecdh-sha2-nistp256"); ======= Credits ======= Originally reported by OSS Fuzz. Patches provided by Jakub Jelen of the libssh team. ========================================================== == The libssh team ==========================================================