=========================================================== == Subject: Authorization bypass in pki_verify_data_signature == == CVE ID#: CVE-2023-2283 == == Versions: (0.9.0 - 0.9.6) and (0.10.0 - 0.10.4) == == Summary: The pki_verify_data_signature can accept invalid == signatures when some memory allocations fail. == =========================================================== =========== Description =========== The authentication check of the connecting client can be bypassed in the function `pki_verify_data_signature` in circumstances of memory allocation problems. This may happen f.e. if not enough memory or the memory usage is limited. The problem is caused by the return value `rc`, which is initialized to SSH_ERROR and later rewritten to save the return value of the function call `pki_key_check_hash_compatible`. The value of the variable is not changed between this point and the cryptographic verification, therefore any error between them calls `goto error` returning SSH_OK. Ed25519 key support is not affected in versions 0.9.x as it is using a different code path, but the versions 0.10.x are affected. Only OpenSSL cryptographic backend is affected. ================== Patch Availability ================== Patches addressing the issues have been posted to: https://www.libssh.org/security/ Additionally, libssh 0.9.7 and 0.10.5 have been issued as security releases to correct the defect. SSH administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.2) ========== Workaround ========== Use Libgcrypt or MbedTLS cryptographic backend. ======= Credits ======= Originally reported by Kevin Backhouse (https://github.com/kevinbackhouse) from GitHub Security Lab. Patches provided by Pocs Norbert of the libssh team. ========================================================== == The libssh team ==========================================================