The Twisted SSH client and server implementation naively accepted an infinite amount of data for the peer's SSH version identifier.
A malicious peer can trivially craft a request that uses all available memory and crash the server, resulting in denial of service. The attack is as simple as nc -rv localhost 22 < /dev/zero
.
The issue was fix in GitHub commit https://github.com/twisted/twisted/commit/98387b39e9f0b21462f6abc7a1325dc370fcdeb1
A fix is available in Twisted 22.2.0.
Reported at https://twistedmatrix.com/trac/ticket/10284 Discussions at https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx
Found by vin01
{ "nvd_published_at": "2022-03-03T21:15:00Z", "cwe_ids": [ "CWE-120", "CWE-770" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-03-03T19:02:08Z" }