======================================================================= == Subject: Null pointer dereference in NEWKEYS + KEXDH_REPLY packet == == CVE ID#: CVE-2015-3146 == == Versions: All versions of libssh later than 0.5.1 == == Summary: A malicious SSH_MSG_NEWKEYS or SSH_MSG_KEXDH_REPLY == packet could lead to a null pointer dereference crashing == the server or client. == == This doesn't require any authentication. == ======================================================================= =========== Description =========== libssh versions 0.5.1 and above have a logical error in the handling of a SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY package. A detected error did not set the session into the error state correctly and further processed the packet which leads to a null pointer dereference. This is the packet after the initial key exchange and doesn't require authentication. Both client and server are are vulnerable, pre-authentication and pre-crypto and and can be explointed with a MITM attack. This could be used for a Denial of Service (DoS) attack. The bug was found and reported by Mariusz Ziulek from the Open Web Application Security Project (OWASP). ================== Patch Availability ================== Patches addressing the issue have been posted to: https://www.libssh.org/ libssh versions 0.6.5 has been released to address this issue. ========== Workaround ========== None. ======= Credits ======= This problem has been found and reported by Mariusz Ziulek from the Open Web Application Security Project (OWASP). Patches provided by the libssh Team. ========================================================== == The libssh Team ==========================================================