Details of VAR-201910-0984

ID

VAR-201910-0984

CVE

CVE-2019-16905

TITLE

OpenSSH Integer overflow vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-010763

DESCRIPTION

OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH. OpenSSH Contains an integer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201911-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSH: Integer overflow Date: November 07, 2019 Bugs: #697046 ID: 201911-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== An integer overflow in OpenSSH might allow an attacker to execute arbitrary code. Background ========== OpenSSH is a complete SSH protocol implementation that includes SFTP client and server support. NOTE: This USE flag is disabled by default! Impact ====== A remote attacker could connect to a vulnerable OpenSSH server using a special crafted XMSS key possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround ========== Disable XMSS key type. Resolution ========== All OpenSSH users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=net-misc/openssh/openssh-8.0_p1-r4" References ========== [ 1 ] CVE-2019-16905 https://nvd.nist.gov/vuln/detail/CVE-2019-16905 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201911-01 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 1.8

sources: NVD: CVE-2019-16905 // JVNDB: JVNDB-2019-010763 // VULMON: CVE-2019-16905 // PACKETSTORM: 155205

AFFECTED PRODUCTS

vendor:	openbsd	model:	openssh	scope:	gte	version:	8.0	Trust: 1.0
vendor:	siemens	model:	scalance x204rna	scope:	lt	version:	3.2.7	Trust: 1.0
vendor:	siemens	model:	scalance x204rna ecc	scope:	lt	version:	3.2.7	Trust: 1.0
vendor:	netapp	model:	steelstore cloud integrated storage	scope:	eq	version:	-	Trust: 1.0
vendor:	openbsd	model:	openssh	scope:	lte	version:	7.9	Trust: 1.0
vendor:	netapp	model:	cloud backup	scope:	eq	version:	-	Trust: 1.0
vendor:	openbsd	model:	openssh	scope:	lt	version:	8.1	Trust: 1.0
vendor:	openbsd	model:	openssh	scope:	gte	version:	7.7	Trust: 1.0
vendor:	openbsd	model:	openssh	scope:	eq	version:	8.1	Trust: 0.8
vendor:	openbsd	model:	openssh	scope:	eq	version:	7.7 to 7.9	Trust: 0.8
vendor:	openbsd	model:	openssh	scope:	lt	version:	8.x	Trust: 0.8

sources: JVNDB: JVNDB-2019-010763 // NVD: CVE-2019-16905

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-16905
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-16905
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201910-599
value:	HIGH
Trust: 0.6
VULMON:	CVE-2019-16905
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-16905
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2019-16905
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-16905
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2019-16905 // JVNDB: JVNDB-2019-010763 // CNNVD: CNNVD-201910-599 // NVD: CVE-2019-16905

PROBLEMTYPE DATA

problemtype:

CWE-190

Trust: 1.8

sources: JVNDB: JVNDB-2019-010763 // NVD: CVE-2019-16905

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201910-599

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201910-599

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-010763

PATCH

title:	CVS log for src/usr.bin/ssh/sshkey-xmss.c	url:	https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c	Trust: 0.8
title:	Diff for /src/usr.bin/ssh/sshkey-xmss.c between version 1.5 and 1.6	url:	https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c.diff?r1=1.5&r2=1.6&f=h	Trust: 0.8
title:	Release Notes	url:	https://www.openssh.com/releasenotes.html	Trust: 0.8
title:	OpenSSH Enter the fix for the verification error vulnerability	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=99243	Trust: 0.6
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=ec6577109e640dac19a6ddb978afe82d	Trust: 0.1
title:	-	url:	https://github.com/Live-Hack-CVE/CVE-2019-16905	Trust: 0.1
title:	git-and-crumpets	url:	https://github.com/siddicky/git-and-crumpets	Trust: 0.1

sources: VULMON: CVE-2019-16905 // JVNDB: JVNDB-2019-010763 // CNNVD: CNNVD-201910-599

EXTERNAL IDS

db:	NVD	id:	CVE-2019-16905	Trust: 2.6
db:	SIEMENS	id:	SSA-412672	Trust: 1.7
db:	OPENWALL	id:	OSS-SECURITY/2019/10/09/1	Trust: 1.7
db:	JVNDB	id:	JVNDB-2019-010763	Trust: 0.8
db:	PACKETSTORM	id:	155205	Trust: 0.7
db:	CNNVD	id:	CNNVD-201910-599	Trust: 0.6
db:	ICS CERT	id:	ICSA-22-349-21	Trust: 0.1
db:	VULMON	id:	CVE-2019-16905	Trust: 0.1

sources: VULMON: CVE-2019-16905 // JVNDB: JVNDB-2019-010763 // PACKETSTORM: 155205 // CNNVD: CNNVD-201910-599 // NVD: CVE-2019-16905

REFERENCES

url:	https://security.gentoo.org/glsa/201911-01	Trust: 1.8
url:	https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c.diff?r1=1.5&r2=1.6&f=h	Trust: 1.7
url:	https://www.openwall.com/lists/oss-security/2019/10/09/1	Trust: 1.7
url:	https://www.openssh.com/releasenotes.html	Trust: 1.7
url:	https://bugzilla.suse.com/show_bug.cgi?id=1153537	Trust: 1.7
url:	https://0day.life/exploits/0day-1009.html	Trust: 1.7
url:	https://ssd-disclosure.com/archives/4033/ssd-advisory-openssh-pre-auth-xmss-integer-overflow	Trust: 1.7
url:	https://security.netapp.com/advisory/ntap-20191024-0003/	Trust: 1.7
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16905	Trust: 1.5
url:	https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c	Trust: 1.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-16905	Trust: 0.8
url:	https://www.ibm.com/support/pages/node/1143460	Trust: 0.6
url:	https://packetstormsecurity.com/files/155205/gentoo-linux-security-advisory-201911-01.html	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/190.html	Trust: 0.1
url:	https://github.com/live-hack-cve/cve-2019-16905	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/110605	Trust: 0.1
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-349-21	Trust: 0.1
url:	https://creativecommons.org/licenses/by-sa/2.5	Trust: 0.1
url:	https://security.gentoo.org/	Trust: 0.1
url:	https://bugs.gentoo.org.	Trust: 0.1

sources: VULMON: CVE-2019-16905 // JVNDB: JVNDB-2019-010763 // PACKETSTORM: 155205 // CNNVD: CNNVD-201910-599 // NVD: CVE-2019-16905

CREDITS

Gentoo

Trust: 0.7

sources: PACKETSTORM: 155205 // CNNVD: CNNVD-201910-599

SOURCES

db:	VULMON	id:	CVE-2019-16905
db:	JVNDB	id:	JVNDB-2019-010763
db:	PACKETSTORM	id:	155205
db:	CNNVD	id:	CNNVD-201910-599
db:	NVD	id:	CVE-2019-16905

LAST UPDATE DATE

2024-08-14T13:03:06.696000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2019-16905	date:	2023-03-01T00:00:00
db:	JVNDB	id:	JVNDB-2019-010763	date:	2019-10-23T00:00:00
db:	CNNVD	id:	CNNVD-201910-599	date:	2022-12-14T00:00:00
db:	NVD	id:	CVE-2019-16905	date:	2023-03-01T01:56:11.220

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2019-16905	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-010763	date:	2019-10-23T00:00:00
db:	PACKETSTORM	id:	155205	date:	2019-11-08T15:36:32
db:	CNNVD	id:	CNNVD-201910-599	date:	2019-10-09T00:00:00
db:	NVD	id:	CVE-2019-16905	date:	2019-10-09T20:15:23.503