CVE-2019-16905
published 2019-10-09CVE-2019-16905: OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is…
PriorityP343high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
2.17%
80.0th percentile
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | < openssh 1:8.1p1-1 (bookworm) | openssh 1:8.1p1-1 (bookworm) |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_openssh_8.0p1-9_on_cbl_mariner_1.0 | — | — |
| openbsd | openssh | >= 0 < 1:8.1p1-1 | 1:8.1p1-1 |
| openbsd | openssh | >= 0 < 1:8.1p1-1 | 1:8.1p1-1 |
| openbsd | openssh | >= 0 < 1:8.1p1-1 | 1:8.1p1-1 |
| openbsd | openssh | >= 0 < 1:8.1p1-1 | 1:8.1p1-1 |
| openbsd | openssh | 7.7 – 7.9 | — |
| openbsd | openssh | >= 8.0 < 8.1 | 8.1 |
| paloalto | pan-os | — | — |
| siemens | scalance_x204rna_ecc_firmware | < 3.2.7 | 3.2.7 |
| siemens | scalance_x204rna_firmware | < 3.2.7 | 3.2.7 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.4MEDIUMAV:L/AC:M/Au:N/C:P/I:P/A:P
osv7.8HIGH
vendor_debian7.8LOW
vendor_msrc7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qw5m-v83j-4g26: OpenSSH 7
ghsa_unreviewed·2022-05-24
CVE-2019-16905 [HIGH] CWE-190 GHSA-qw5m-v83j-4g26: OpenSSH 7
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and remote code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.
OSV
CVE-2019-16905: OpenSSH 7
osv·2019-10-09·CVSS 7.8
CVE-2019-16905 [HIGH] CVE-2019-16905: OpenSSH 7
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-02-14·CVSS 9.8
CVE-2017-18342 [CRITICAL] PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-18342, CVE-2017-8923, CVE-2017-9120, CVE-2019-1551, CVE-2019-16865, CVE-2019-16905, CVE-2019-19523, CVE-2019-19528, CVE-2019-19911, CVE-2020-0404, CVE-2020-0431, CVE-2020-0466, CVE-2020-10379, CVE-2020-11538, CVE-2020-11608, CVE-2020-12114, CVE-2020-12321, CVE-2020-12362, CVE-2020-12363, CVE-2020-12364, CVE-2020-13757, CVE-2020-14314, CVE-2020-14351, CVE-2020-15778, CVE-2020-1967, CVE-2020-24394, CVE-2020-24504, CVE-2020-25211, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25717, CVE-2020-26541, CVE-2020-2715
CISA ICS
Siemens SCALANCE X-200RNA Switch Devices
cisa_ics·2022-12-19
Siemens SCALANCE X-200RNA Switch Devices
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SCALANCE X-200RNA Switch Devices
Last RevisedDecember 19, 2022
Alert CodeICSA-22-349-21
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Siemens
- Equipment: SCALANCE X-200RNA switch devices before V3.2.7
- Vulnerabilities: Observable Timing Discrepancy; Race Condition; Improper Restriction of Operations within the Bounds of a Memory Buffer; Improper Input Validation; NULL Pointer Dereference; Use After Free; Cryptographic Issues; Comparison of Incompatible Types; Resource Management
Palo Alto
PAN
vendor_paloalto·2020-04-08·CVSS 6.7
CVE-2019-0139 [MEDIUM] PAN
PAN
Palo Alto Networks Product Security Assurance team has evaluated and determined that these third-party or open source vulnerabilities do not have a security impact on Palo Alto Networks Products, or the scenarios required for successful
CVEs: CVE-2019-0139, CVE-2019-0140, CVE-2019-0142, CVE-2019-0143, CVE-2019-0144, CVE-2019-0145, CVE-2019-0146, CVE-2019-0147, CVE-2019-0148, CVE-2019-0149, CVE-2019-0150, CVE-2019-11168, CVE-2019-11170, CVE-2019-11171, CVE-2019-11172, CVE-2019-11173, CVE-2019-11174, CVE-2019-11175, CVE-2019-11177, CVE-2019-11178, CVE-2019-11179, CVE-2019-11180, CVE-2019-11181, CVE-2019-11182, CVE-2019-12735, CVE-2019-16905, CVE-2020-0561, CVE-2020-0562, CVE-2020-0563, CVE-2020-0564
Affected products: PAN-OS
Microsoft
OpenSSH 7.7 through 7.9 and 8.x before 8.1 when compiled with an experimental key type has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This lea
vendor_msrc·2019-10-08·CVSS 7.8
CVE-2019-16905 [HIGH] CWE-190 OpenSSH 7.7 through 7.9 and 8.x before 8.1 when compiled with an experimental key type has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This lea
OpenSSH 7.7 through 7.9 and 8.x before 8.1 when compiled with an experimental key type has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions and there is no supported way to enable it when building portable OpenSSH.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open so
Red Hat
openssh: an integer overflow in the private key parsing code for the XMSS key type
vendor_redhat·2019-08-28·CVSS 7.8
CVE-2019-16905 [HIGH] CWE-190 openssh: an integer overflow in the private key parsing code for the XMSS key type
openssh: an integer overflow in the private key parsing code for the XMSS key type
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.
A Denial of service flaw was found in the way OpenSSH parsed certain specially crafted XMSS (eXtended Merkle Signature Scheme) private keys. Any OpenSSH functionality which parses private keys is vulnerable, for example:
1. If ‘sshd’ daemon is
Debian
CVE-2019-16905: openssh - OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental k...
vendor_debian·2019·CVSS 7.8
CVE-2019-16905 [HIGH] CVE-2019-16905: openssh - OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental k...
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.
Scope: local
bookworm: resolved (fixed in 1:8.1p1-1)
bullseye: resolved (fixed in 1:8.1p1-1)
forky: resolved (fixed in 1:8.1p1-1)
sid: resolved (fixed in 1:8.1p1-1)
trixie: resolved (fixed in 1:8.1p1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-16905 openssh: an integer overflow in the private key parsing code for the XMSS key type
bugzilla·2019-11-01·CVSS 7.8
CVE-2019-16905 [HIGH] CVE-2019-16905 openssh: an integer overflow in the private key parsing code for the XMSS key type
CVE-2019-16905 openssh: an integer overflow in the private key parsing code for the XMSS key type
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.
References:
https://ssd-disclosure.com/archives/4033/ssd-advisory-openssh-pre-auth-xmss-integer-overflow
https://www.openssh.com/releasenotes.html
Discussion:
Created openssh tracking bugs for this issue:
Affects: fedora-29 [
Bugzilla
CVE-2019-16905 openssh: an integer overflow in the private key parsing code for the XMSS key type [fedora-30]
bugzilla·2019-11-01·CVSS 7.8
CVE-2019-16905 [HIGH] CVE-2019-16905 openssh: an integer overflow in the private key parsing code for the XMSS key type [fedora-30]
CVE-2019-16905 openssh: an integer overflow in the private key parsing code for the XMSS key type [fedora-30]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-30.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the
Bugzilla
CVE-2019-16905 openssh: an integer overflow in the private key parsing code for the XMSS key type [fedora-29]
bugzilla·2019-11-01·CVSS 7.8
CVE-2019-16905 [HIGH] CVE-2019-16905 openssh: an integer overflow in the private key parsing code for the XMSS key type [fedora-29]
CVE-2019-16905 openssh: an integer overflow in the private key parsing code for the XMSS key type [fedora-29]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-29.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the
https://bugzilla.suse.com/show_bug.cgi?id=1153537https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.chttps://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c.diff?r1=1.5&r2=1.6&f=hhttps://security.gentoo.org/glsa/201911-01https://security.netapp.com/advisory/ntap-20191024-0003/https://ssd-disclosure.com/archives/4033/ssd-advisory-openssh-pre-auth-xmss-integer-overflowhttps://www.openssh.com/releasenotes.htmlhttps://www.openwall.com/lists/oss-security/2019/10/09/1https://bugzilla.suse.com/show_bug.cgi?id=1153537https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.chttps://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c.diff?r1=1.5&r2=1.6&f=hhttps://security.gentoo.org/glsa/201911-01https://security.netapp.com/advisory/ntap-20191024-0003/https://ssd-disclosure.com/archives/4033/ssd-advisory-openssh-pre-auth-xmss-integer-overflowhttps://www.openssh.com/releasenotes.htmlhttps://www.openwall.com/lists/oss-security/2019/10/09/1
2019-10-09
Published