The Twisted SSH client and server implementation naively accepted an infinite amount of data for the peer’s SSH version identifier.
A malicious peer can trivially craft a request that uses all available memory and crash the server, resulting in denial of service. The attack is as simple as nc -rv localhost 22 < /dev/zero
.
The issue was fix in GitHub commit https://github.com/twisted/twisted/commit/98387b39e9f0b21462f6abc7a1325dc370fcdeb1
A fix is available in Twisted 22.2.0.
Reported at https://twistedmatrix.com/trac/ticket/10284
Discussions at https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx
Found by vin01
github.com/twisted/twisted
github.com/twisted/twisted/commit/98387b39e9f0b21462f6abc7a1325dc370fcdeb1
github.com/twisted/twisted/releases/tag/twisted-22.2.0
github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx
lists.debian.org/debian-lts-announce/2022/03/msg00009.html
lists.fedoraproject.org/archives/list/[email protected]/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K
lists.fedoraproject.org/archives/list/[email protected]/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6
nvd.nist.gov/vuln/detail/CVE-2022-21716
security.gentoo.org/glsa/202301-02
twistedmatrix.com/trac/ticket/10284
www.oracle.com/security-alerts/cpuapr2022.html