CVE-2020-11939
published 2020-04-23CVE-2020-11939: In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KEXINIT integer overflows that result in a controlled remote heap overflow in…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.30%
87.0th percentile
In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KEXINIT integer overflows that result in a controlled remote heap overflow in concat_hash_string in ssh.c. Due to the granular nature of the overflow primitive and the ability to control both the contents and layout of the nDPI library's heap memory through remote input, this vulnerability may be abused to achieve full Remote Code Execution against any network inspection stack that is linked against nDPI and uses it to perform network traffic analysis.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ndpi | < ndpi 3.4-1 (bookworm) | ndpi 3.4-1 (bookworm) |
| ntop | ndpi | <= 3.2 | — |
| ntop | ndpi | >= 0 < 3.4-1 | 3.4-1 |
| ntop | ndpi | >= 0 < 3.4-1 | 3.4-1 |
| ntop | ndpi | >= 0 < 3.4-1 | 3.4-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target the SSH protocol dissector in nDPI — specifically the KEXINIT message handling path; monitor for integer overflows triggered during SSH key exchange initialization that lead to heap corruption in concat_hash_string() in ssh.c ↗
- →Flag any network inspection stack linked against nDPI ≤ 3.2 Stable processing SSH traffic — the overflow is remotely triggerable via crafted SSH KEXINIT packets, enabling heap layout control through network input ↗
- ·Vulnerability is present in nDPI through version 3.2 Stable; fixed in nDPI 3.4-1 (Debian packages for bookworm, forky, sid, trixie). Ensure deployed nDPI version is 3.4 or later. ↗
- ·Debian scope is listed as 'local' in the security tracker, which may reflect the deployment context of the affected package rather than the network-reachability of the vulnerability itself — the NVD description explicitly states the overflow is remotely triggerable via network traffic. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x59q-66q3-mmf8: In nDPI through 3
ghsa_unreviewed·2022-05-24
CVE-2020-11939 [CRITICAL] CWE-190 GHSA-x59q-66q3-mmf8: In nDPI through 3
In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KEXINIT integer overflows that result in a controlled remote heap overflow in concat_hash_string in ssh.c. Due to the granular nature of the overflow primitive and the ability to control both the contents and layout of the nDPI library's heap memory through remote input, this vulnerability may be abused to achieve full Remote Code Execution against any network inspection stack that is linked against nDPI and uses it to perform network traffic analysis.
OSV
CVE-2020-11939: In nDPI through 3
osv·2020-04-23·CVSS 9.8
CVE-2020-11939 [CRITICAL] CVE-2020-11939: In nDPI through 3
In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KEXINIT integer overflows that result in a controlled remote heap overflow in concat_hash_string in ssh.c. Due to the granular nature of the overflow primitive and the ability to control both the contents and layout of the nDPI library's heap memory through remote input, this vulnerability may be abused to achieve full Remote Code Execution against any network inspection stack that is linked against nDPI and uses it to perform network traffic analysis.
Debian
CVE-2020-11939: ndpi - In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KEXINIT inte...
vendor_debian·2020·CVSS 9.8
CVE-2020-11939 [CRITICAL] CVE-2020-11939: ndpi - In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KEXINIT inte...
In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KEXINIT integer overflows that result in a controlled remote heap overflow in concat_hash_string in ssh.c. Due to the granular nature of the overflow primitive and the ability to control both the contents and layout of the nDPI library's heap memory through remote input, this vulnerability may be abused to achieve full Remote Code Execution against any network inspection stack that is linked against nDPI and uses it to perform network traffic analysis.
Scope: local
bookworm: resolved (fixed in 3.4-1)
forky: resolved (fixed in 3.4-1)
sid: resolved (fixed in 3.4-1)
trixie: resolved (fixed in 3.4-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-04-23
Published