Executive Summary

Summary
Title libssh: Denial of Service
Informations
Name GLSA-202004-08 First vendor Publication 2020-04-10
Vendor Gentoo Last vendor Modification 2020-04-10
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

A vulnerability in libssh could allow a remote attacker to cause a Denial of Service condition.

Background

libssh is a multiplatform C library implementing the SSHv2 protocol on client and server side.

Description

It was discovered that libssh could crash when AES-CTR ciphers are used.

Impact

A remote attacker running a malicious client or server could possibly crash the counterpart implemented with libssh and cause a Denial of Service condition.

Workaround

Disable AES-CTR ciphers. If you implement a server using libssh it is recommended to use a prefork model so each session runs in an own process.

Resolution

All libssh users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/libssh-0.9.4"

References

[ 1 ] CVE-2020-1730 : https://nvd.nist.gov/vuln/detail/CVE-2020-1730

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

https://security.gentoo.org/glsa/202004-08

Original Source

Url : http://security.gentoo.org/glsa/glsa-202004-08.xml

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2020-04-11 00:17:56
  • First insertion