lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <54218F43.8070005@steffenbauch.de>
Date: Tue, 23 Sep 2014 17:18:27 +0200
From: Steffen Bauch <mail@...ffenbauch.de>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] CVE-2014-6603 suricata 2.0.3 Out-of-bounds access in SSH parser

CVE-2014-6603 suricata 2.0.3 Out-of-bounds access in SSH application parser

1. Background

Suricata is a high performance Network IDS, IPS and Network Security 
Monitoring engine developed by the Open Information Security Foundation 
(OISF).

2. Summary Information

It was found out that the application parser for SSH integrated in 
Suricata contains a flaw that might lead to an out-of-bounds access. For 
this reason a Denial of Service towards the Suricata monitoring software 
might be possible using crafted packets on the monitoring interface.

3. Technical Description

The application parser for SSH (src/app-layer-ssh.c) contains a function 
SSHParseBanner. In case the parsed buffer is either

"SSH-2.0\r-MySSHClient-0.5.1\n"

or

"SSH-2.0-\rMySSHClient-0.5.1\n"

the function will behave in the wrong way and attempt either a very big 
memory allocation or an out of bounds array access with negative index, 
which also might lead to out-of-bounds write access under certain 
conditions. The problem is caused due to the fact that the end of the 
banner and start of the software version are computed independently.

4. Affected versions

Affected versions are Suricata 2.0.3 and 2.1beta1, older versions might 
be affected as well.

5. Fix

The issue will be fixed in Suricata 2.0.4 and in the next upcoming major 
release. See 
http://suricata-ids.org/2014/09/23/suricata-2-0-4-available/ for reference.

6. Advisory Timeline

2014-09-10: Discovered
2014-09-12: Reported to vendor by email
2014-09-12: Vendor responded, confirmed and provided preliminary fix
2014-09-17: Requested CVE
2014-09-19: CVE number received
2014-09-23: Vendor reported a fixed version released
2014-09-23: Published

7. Credit

The issue was found by

Steffen Bauch
Twitter: @steffenbauch
http://steffenbauch.de

8. References

http://www.openinfosecfoundation.org/
http://suricata-ids.org/
http://suricata-ids.org/2014/09/23/suricata-2-0-4-available/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ