CVE-2019-16905: Integer Overflow
First published: Wed Oct 09 2019(Updated: )
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Openbsd Openssh | >=7.7<=7.9 | |
| Openbsd Openssh | >=8.0<8.1 | |
| Netapp Cloud Backup | ||
| Netapp Steelstore Cloud Integrated Storage | ||
| Siemens Scalance X204rna Firmware | <3.2.7 | |
| Siemens Scalance X204rna | ||
| Siemens Scalance X204rna Ecc Firmware | <3.2.7 | |
| Siemens Scalance X204rna Ecc |
Remedy
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c.diff?r1=1.5&r2=1.6&f=h
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://0day.life/exploits/0day-1009.html
- https://bugzilla.suse.com/show_bug.cgi?id=1153537
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c
- https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c.diff?r1=1.5&r2=1.6&f=h
- https://security.gentoo.org/glsa/201911-01
- https://security.netapp.com/advisory/ntap-20191024-0003/
- https://ssd-disclosure.com/archives/4033/ssd-advisory-openssh-pre-auth-xmss-integer-overflow
- https://www.openssh.com/releasenotes.html
- https://www.openwall.com/lists/oss-security/2019/10/09/1
Frequently Asked Questions
What is the severity of CVE-2019-16905?
The severity of CVE-2019-16905 is high with a severity value of 7.8.
Which software versions are affected by CVE-2019-16905?
OpenSSH versions 7.7 through 7.9 and versions 8.x before 8.1 when compiled with an experimental key type are affected. Netapp Cloud Backup and Netapp Steelstore Cloud Integrated Storage are also affected.
How does CVE-2019-16905 affect OpenSSH?
CVE-2019-16905 affects OpenSSH when it is compiled with an experimental key type, leading to a pre-authentication integer overflow and memory corruption.
Is Siemens Scalance X204rna vulnerable to CVE-2019-16905?
Siemens Scalance X204rna is vulnerable to CVE-2019-16905 if it is running the affected firmware versions.
How can I fix the vulnerability in OpenSSH?
To fix the vulnerability in OpenSSH, you should update to version 8.1 or higher.
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/weakness
- agent/severity
- agent/remedy
- agent/author
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/openbsd
- canonical/openbsd openssh
- version/openbsd openssh/7.7
- version/openbsd openssh/7.9
- version/openbsd openssh/8.0
- vendor/netapp
- canonical/netapp cloud backup
- canonical/netapp steelstore cloud integrated storage
- vendor/siemens
- canonical/siemens scalance x204rna firmware
- canonical/siemens scalance x204rna
- canonical/siemens scalance x204rna ecc firmware
- canonical/siemens scalance x204rna ecc