CVSS: 5.9EPSS: 96%CPEs: 79EXPL: 1CVE-2023-48795 – ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
https://notcve.org/view.php?id=CVE-2023-48795
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. • http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html http://seclists.org/fulldisclosure/2024/Mar/21 http://www.openwall.com/lists/oss-security/2023/12/18/3 http://www.openwall.com/lists/oss-security/2023/12/19/5 http://www.openwall.com/lists/oss-security/2023/12/20/3 http://www.openwall.com/lists/oss-security/2024/03/06/3 http://www.openwall.com/lists/oss-security/2024/04/17/8 https://access.redhat.com/security/cve/cve-2023-48 • CWE-222: Truncation of Security-relevant Information CWE-354: Improper Validation of Integrity Check Value •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3603 – Processing sftp server read may cause null dereference
https://notcve.org/view.php?id=CVE-2023-3603
A missing allocation check in sftp server processing read requests may cause a NULL dereference on low-memory conditions. The malicious client can request up to 4GB SFTP reads, causing allocation of up to 4GB buffers, which was not being checked for failure. This will likely crash the authenticated user's sftp server connection (if implemented as forking as recommended). For thread-based servers, this might also cause DoS for legitimate users. Given this code is not in any released versions, no security releases have been issued. • https://access.redhat.com/security/cve/CVE-2023-3603 https://bugzilla.redhat.com/show_bug.cgi?id=2221791 • CWE-476: NULL Pointer Dereference •
CVSS: 9.3EPSS: 0%CPEs: 11EXPL: 0CVE-2019-14889 – libssh: unsanitized location in scp could lead to unwanted command execution
https://notcve.org/view.php?id=CVE-2019-14889
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target. Se detectó un fallo con la función ssh_scp_new() de la API libssh en versiones anteriores a 0.9.3 y anteriores a 0.8.8. Cuando el cliente libssh SCP se conecta a un servidor, el comando scp, que incluye una ruta provista por el usuario, es ejecutado en el lado del servidor. • http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00047.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14889 https://lists.debian.org/debian-lts-announce/2019/12/msg00020.html https://lists.debian.org/debian-lts-announce/2023/05/msg00029.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JJWJTXVWLLJTVHBPGWL7472S5FWXYQR https://lists.fedoraproject.org/archives/li • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.1EPSS: 13%CPEs: 15EXPL: 24CVE-2018-10933 – libSSH - Authentication Bypass
https://notcve.org/view.php?id=CVE-2018-10933
A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access. Se ha detectado una vulnerabilidad en la máquina de estado del lado del servidor de libssh en versiones anteriores a la 0.7.6 y 0.8.4. Un cliente malicioso podría crear canales sin realizar antes la autenticación, lo que resulta en un acceso no autorizado. libSSH suffers from an authentication bypass vulnerability. • https://www.exploit-db.com/exploits/45638 https://www.exploit-db.com/exploits/46307 https://github.com/blacknbunny/CVE-2018-10933 https://github.com/SoledaD208/CVE-2018-10933 https://github.com/jas502n/CVE-2018-10933 https://github.com/Virgula0/POC-CVE-2018-10933 https://github.com/shifa123/pythonprojects-CVE-2018-10933 https://github.com/kn6869610/CVE-2018-10933 https://github.com/xFreed0m/CVE-2018-10933 https://github.com/r3dxpl0it/CVE-2018-10933 https://github.com&#x • CWE-287: Improper Authentication CWE-592: DEPRECATED: Authentication Bypass Issues •
CVSS: 7.5EPSS: 6%CPEs: 8EXPL: 0CVE-2015-3146
https://notcve.org/view.php?id=CVE-2015-3146
The (1) SSH_MSG_NEWKEYS and (2) SSH_MSG_KEXDH_REPLY packet handlers in package_cb.c in libssh before 0.6.5 do not properly validate state, which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted SSH packet. Los manejadores de paquete (1) SSH_MSG_NEWKEYS y (2) SSH_MSG_KEXDH_REPLY en package_cb.c en libssh en versiones anteriores a 0.6.5 no valida correctamente el estado, lo que permite a atacantes remotos provocar una denegación de servicio (referencia a puntero NULL y caída) a través de un paquete SSH manipulado. • http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161802.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158013.html http://www.debian.org/security/2016/dsa-3488 http://www.ubuntu.com/usn/USN-2912-1 https://git.libssh.org/projects/libssh.git/commit/?h=libssh-0.6.5&id=94f6955fbaee6fda9385a23e505497efe21f5b4f https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release https://www.libssh.org/security/advisories/CVE-2015-3146.txt •