FreeBSD : libssh -- possible heap-buffer overflow vulnerability (57b1ee25-1a7c-11ec-9376-0800272221cc)

medium Nessus Plugin ID 153827

Language:

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

libssh security advisories :

The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called `secret_hash` and and the other `session_id`. Initially, both of them are the same, but after key re-exchange, previous `session_id` is kept and used as an input to new `secret_hash`.

Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating `secret_hash` of different size than the `session_id` has.

This becomes an issue when the `session_id` memory is zeroized or when it is used again during second key re-exchange.

Solution

Update the affected package.

See Also

https://www.libssh.org/security/advisories/CVE-2021-3634.txt

https://www.libssh.org/2021/08/26/libssh-0-9-6-security-release/

http://www.nessus.org/u?265a9288

Plugin Details

Severity: Medium

ID: 153827

File Name: freebsd_pkg_57b1ee251a7c11ec93760800272221cc.nasl

Version: 1.5

Type: local

Published: 10/1/2021

Updated: 11/29/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS Score Source: CVE-2021-3634

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:libssh, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 9/21/2021

Vulnerability Publication Date: 8/26/2021

Reference Information

CVE: CVE-2021-3634

IAVA: 2022-A-0041-S