GHSA-rv6r-3f5q-9rgx

Source

https://github.com/advisories/GHSA-rv6r-3f5q-9rgx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-rv6r-3f5q-9rgx/GHSA-rv6r-3f5q-9rgx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rv6r-3f5q-9rgx

Aliases

Published

2022-03-03T19:02:08Z

Modified

2024-02-16T08:10:30.503637Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Twisted SSH client and server deny of service during SSH handshake.

Details

Impact

The Twisted SSH client and server implementation naively accepted an infinite amount of data for the peer's SSH version identifier.

A malicious peer can trivially craft a request that uses all available memory and crash the server, resulting in denial of service. The attack is as simple as nc -rv localhost 22 < /dev/zero.

Patches

The issue was fix in GitHub commit https://github.com/twisted/twisted/commit/98387b39e9f0b21462f6abc7a1325dc370fcdeb1

A fix is available in Twisted 22.2.0.

Workarounds

Limit access to the SSH server only to trusted source IP addresses.
Connect over SSH only to trusted destination IP addresses.

References

Reported at https://twistedmatrix.com/trac/ticket/10284 Discussions at https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx

For more information

Found by vin01

References

Affected packages

PyPI / twisted

Package

Name: twisted; View open source insights on deps.dev
Purl: pkg:pypi/twisted

Affected ranges

Type: ECOSYSTEM
Events: Introduced

21.7.0

Fixed

22.2.0

Affected versions

21.*

21.7.0

22.*

22.1.0rc1

22.1.0

22.2.0rc1

Ecosystem specific

{
    "affected_functions": [
        "twisted.conch.ssh.transport.SSHTransportBase.dataReceived"
    ]
}