CVE-2020-1730 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Denial of service
Description	A malicious client or server could crash the counterpart implemented with libssh before 0.9.4. When AES-CTR ciphers are used and don't get fully initialized, libssh will crash when it tries to cleanup the AES-CTR ciphers when closing the connection.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1130	libssh	0.9.3-1	0.9.4-1	Medium	Fixed

Date	Advisory	Group	Package	Severity	Type
09 Apr 2020	ASA-202004-11	AVG-1130	libssh	Medium	denial of service

References
https://www.libssh.org/security/advisories/CVE-2020-1730.txt https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.9&id=958afb1c6ad671fe2a8d671702a88843bb78fc38

Notes
Workaround: Disable AES-CTR ciphers. If you implement a server using libssh we advise to use a prefork model so each session runs in an own process. If you have implemented your server this way this is not really an issue. The client will kill its own connection.

Notes

Workaround: Disable AES-CTR ciphers. If you implement a server using libssh we advise to use a prefork model so each session runs in an own process. If you have implemented your server this way this is not really an issue. The client will kill its own connection.