Vulnerabilities > CVE-2019-16905 - Integer Overflow or Wraparound vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 8 | |
| Application | 2 | |
| OS | 2 | |
| Hardware | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2294.NASL description According to the version of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.(CVE-2019-16905) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-03 modified 2019-11-27 plugin id 131360 published 2019-11-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131360 title EulerOS 2.0 SP8 : openssh (EulerOS-SA-2019-2294) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(131360); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/01"); script_cve_id( "CVE-2019-16905" ); script_name(english:"EulerOS 2.0 SP8 : openssh (EulerOS-SA-2019-2294)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.(CVE-2019-16905) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2294 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ff81612f"); script_set_attribute(attribute:"solution", value: "Update the affected openssh package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/27"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-cavs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu); flag = 0; pkgs = ["openssh-7.8p1-3.h23.eulerosv2r8", "openssh-askpass-7.8p1-3.h23.eulerosv2r8", "openssh-cavs-7.8p1-3.h23.eulerosv2r8", "openssh-clients-7.8p1-3.h23.eulerosv2r8", "openssh-keycat-7.8p1-3.h23.eulerosv2r8", "openssh-ldap-7.8p1-3.h23.eulerosv2r8", "openssh-server-7.8p1-3.h23.eulerosv2r8"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1046.NASL description According to the version of the openssh packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and remote code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.(CVE-2019-16905) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 132800 published 2020-01-13 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132800 title EulerOS Virtualization for ARM 64 3.0.5.0 : openssh (EulerOS-SA-2020-1046) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2019-3_0-0045_OPENSSH.NASL description An update of the openssh package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 133227 published 2020-01-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133227 title Photon OS 3.0: Openssh PHSA-2019-3.0-0045 NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201911-01.NASL description The remote host is affected by the vulnerability described in GLSA-201911-01 (OpenSSH: Integer overflow) OpenSSH, when built with “xmss” USE flag enabled, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. NOTE: This USE flag is disabled by default! Impact : A remote attacker could connect to a vulnerable OpenSSH server using a special crafted XMSS key possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : Disable XMSS key type. last seen 2020-06-01 modified 2020-06-02 plugin id 130633 published 2019-11-08 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130633 title GLSA-201911-01 : OpenSSH: Integer overflow NASL family Misc. NASL id OPENSSH_81.NASL description OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 130455 published 2019-11-01 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130455 title OpenSSH 7.7 < 8.1
References
- https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c.diff?r1=1.5&r2=1.6&f=h
- https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c
- https://www.openwall.com/lists/oss-security/2019/10/09/1
- https://www.openssh.com/releasenotes.html
- https://bugzilla.suse.com/show_bug.cgi?id=1153537
- https://0day.life/exploits/0day-1009.html
- https://ssd-disclosure.com/archives/4033/ssd-advisory-openssh-pre-auth-xmss-integer-overflow
- https://security.netapp.com/advisory/ntap-20191024-0003/
- https://security.gentoo.org/glsa/201911-01
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf