Libssh2, a popular open source client-side C library implementing the SSHv2 protocol, has released the latest version of its software to patch a total of nine security vulnerabilities.
The Libssh2 library is available for all major distributors of the Linux operating systems, including Ubuntu, Red Hat, Debian, and also comes bundled within some distributions and software as a default library.
According to an advisory published Monday, all the below listed vulnerabilities that were patched with the release of libssh2 version 1.8.1 lead to memory corruption issues which could result in arbitrary code execution on a client system in certain circumstances.
Here’s the list of security vulnerabilities patched in Libssh:
1. CVE-2019-3855: Possible integer overflow in transport read that could lead to an out-of-bounds write. A malicious server, or a remote attacker who compromises an SSH server, could send a specially crafted packet which could result in executing malicious code on the client system when a user connects to the server.
2. CVE-2019-3856: Possible integer overflow in keyboard interactive handling allows out-of-bounds write. A malicious or a compromised SSH server can exploit client system by sending a value approaching unsigned int max number of keyboard prompt requests.
3. CVE-2019-3857: Possible integer overflow issue leads to zero-byte allocation and out-of-bounds write. A malicious server could send an SSH_MSG_CHANNEL_REQUEST packet with an exit signal message with a length of max unsigned integer value.
4. CVE-2019-3858: Possible zero-byte allocation leading to an out-of-bounds. Attacking server can send a specially crafted partial SFTP packet with a zero value for the payload length, allowing attackers to cause a Denial of Service or read data in the client memory.
5. CVE-2019-3859: Out-of-bounds reads with specially crafted payloads due to unchecked use of “_libssh2_packet_require and _libssh2_packet_requirev.” A server could send a specially crafted partial packet in response to various commands such as: sha1 and sha226 key exchange, user auth list, user auth password response, allowing attackers to cause a Denial of Service or read data in the client memory.
6. CVE-2019-3860: Out-of-bounds reads with specially crafted SFTP packets that also lead to Denial of Service or read data in the client memory attacks.
7. CVE-2019-3861: Out-of-bounds reads with specially crafted SSH packets that occurs when the padding length value is greater than the packet length, resulting in the parsing of the corrupted packet.
8. CVE-2019-3862: An out of bounds read issue occurs when the server sends specially crafted SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload, resulting in Denial of Service or read data in the client memory.
9. CVE-2019-3863: Integer overflow in the user authenticated keyboard interactive allows out-of-bounds writes.
These security vulnerabilities affect all versions of Libssh2 prior to version 1.8.1, and fortunately, there is reportedly no known exploits of these flaw at this time on the Internet.
Chris Coulson of Canonical Ltd. was credited for discovering all the nine security vulnerabilities and responsibly disclosing them to the Libssh developers.
If you are using Libssh, install the updated version of Libssh as soon as possible.
This is not the first time when the popular library has been found vulnerable to security issues. Late last year, its developers patched a four-year-old severe vulnerability in Libssh that allowed unauthenticated attackers to gain unfettered administrative control over a vulnerable server without requiring a password.