Lucene search

K
osvGoogleOSV:GHSA-RV6R-3F5Q-9RGX
HistoryMar 03, 2022 - 7:02 p.m.

Twisted SSH client and server deny of service during SSH handshake.

2022-03-0319:02:08
Google
osv.dev
26
twisted
ssh
denial of service

EPSS

0.005

Percentile

75.8%

Impact

The Twisted SSH client and server implementation naively accepted an infinite amount of data for the peer’s SSH version identifier.

A malicious peer can trivially craft a request that uses all available memory and crash the server, resulting in denial of service. The attack is as simple as nc -rv localhost 22 < /dev/zero.

Patches

The issue was fix in GitHub commit https://github.com/twisted/twisted/commit/98387b39e9f0b21462f6abc7a1325dc370fcdeb1

A fix is available in Twisted 22.2.0.

Workarounds

  • Limit access to the SSH server only to trusted source IP addresses.
  • Connect over SSH only to trusted destination IP addresses.

References

Reported at https://twistedmatrix.com/trac/ticket/10284
Discussions at https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx

For more information

Found by vin01