GHSA-rv6r-3f5q-9rgx

Suggest an improvement
Source
https://github.com/advisories/GHSA-rv6r-3f5q-9rgx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-rv6r-3f5q-9rgx/GHSA-rv6r-3f5q-9rgx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rv6r-3f5q-9rgx
Aliases
Published
2022-03-03T19:02:08Z
Modified
2024-11-25T18:48:42.597453Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Twisted SSH client and server deny of service during SSH handshake.
Details

Impact

The Twisted SSH client and server implementation naively accepted an infinite amount of data for the peer's SSH version identifier.

A malicious peer can trivially craft a request that uses all available memory and crash the server, resulting in denial of service. The attack is as simple as nc -rv localhost 22 < /dev/zero.

Patches

The issue was fix in GitHub commit https://github.com/twisted/twisted/commit/98387b39e9f0b21462f6abc7a1325dc370fcdeb1

A fix is available in Twisted 22.2.0.

Workarounds

  • Limit access to the SSH server only to trusted source IP addresses.
  • Connect over SSH only to trusted destination IP addresses.

References

Reported at https://twistedmatrix.com/trac/ticket/10284 Discussions at https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx

For more information

Found by vin01

Database specific
{
    "nvd_published_at": "2022-03-03T21:15:00Z",
    "cwe_ids": [
        "CWE-120",
        "CWE-770"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-03T19:02:08Z"
}
References

Affected packages

PyPI / twisted

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
21.7.0
Fixed
22.2.0

Affected versions

21.*

21.7.0

22.*

22.1.0rc1
22.1.0
22.2.0rc1