CVE-2023-6918

Libssh: missing checks for return values for digests

Severity Score

9.3

*CVSS v4

Exploit Likelihood

< 1%

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.

Se encontró un fallo en la capa abstracta de implementación de libssh para operaciones de resumen de mensajes (MD) implementadas por diferentes backends criptográficos compatibles. Los valores de retorno de estos no se verificaron correctamente, lo que podría causar fallas en situaciones de poca memoria, desreferencias NULL, fallas o uso de la memoria no inicializada como entrada para el KDF. En este caso, las claves que no coinciden resultarán en fallas de descifrado/integridad, lo que terminará la conexión.

It was discovered that libssh incorrectly handled the ProxyCommand and the ProxyJump features. A remote attacker could possibly use this issue to inject malicious code into the command of the features mentioned through the hostname parameter. It was discovered that libssh incorrectly handled return codes when performing message digest operations. A remote attacker could possibly use this issue to cause libssh to crash, obtain sensitive information, or execute arbitrary code.

*Credits: Red Hat would like to thank Jack Weinstein (<mike.code.bb.h@gmail.com>) for reporting this issue.

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

High

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-12-18 CVE Reserved
2023-12-18 CVE Published
2025-02-15 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-252: Unchecked Return Value

CAPEC

References (8)

URL	Tag	Source
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/messa...	Third Party Advisory
https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases	Release Notes

1 - 2 of 2

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2024:2504	2024-05-22
https://access.redhat.com/errata/RHSA-2024:3233	2024-05-22
https://access.redhat.com/security/cve/CVE-2023-6918	2024-05-22
https://bugzilla.redhat.com/show_bug.cgi?id=2254997	2024-05-22
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M...	2024-05-22
https://www.libssh.org/security/advisories/CVE-2023-6918.txt	2024-05-22

1 - 6 of 6

Affected Vendors, Products, and Versions (6)

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Libssh Search vendor "Libssh"		Libssh Search vendor "Libssh" for product "Libssh"				>= 0.9.0 < 0.9.8 Search vendor "Libssh" for product "Libssh" and version " >= 0.9.0 < 0.9.8"		-		Affected
Libssh Search vendor "Libssh"		Libssh Search vendor "Libssh" for product "Libssh"				>= 0.10.0 < 0.10.6 Search vendor "Libssh" for product "Libssh" and version " >= 0.10.0 < 0.10.6"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				38 Search vendor "Fedoraproject" for product "Fedora" and version "38"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				39 Search vendor "Fedoraproject" for product "Fedora" and version "39"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				9.0 Search vendor "Redhat" for product "Enterprise Linux" and version "9.0"		-		Affected

1 - 6 of 6