CVE-2019-16905

2019-11-0118:56:01

redhat.com

access.redhat.com

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

0.0005 Low

EPSS

Percentile

15.3%

JSON

A Denial of service flaw was found in the way OpenSSH parsed certain specially crafted XMSS (eXtended Merkle Signature Scheme) private keys. Any OpenSSH functionality which parses private keys is vulnerable, for example: 1. If ‘sshd’ daemon is configured to use an XMSS host key that is malformed, it will crash upon any attempt to connect to this server. 2. If ‘authorized_keys’ is configured to use an XMSS public key, and the private key is used to connect to the server, the ssh client used for the connection will crash. 3. Adding a crafted XMSS key to ssh-agent, will cause the ssh-agent to crash. 4. Hosting services which allow users to upload keys may be affected. Malicious keys will cause the flaw to be triggered when the key is parsed. (Note: upload alone is not enough, the key needs to be parsed to cause the crash)

Mitigation

This flaw is triggered when parsing XMSS private keys. XMSS is a PQC (Post-quantum cryptography) algorithm and its use is currently experimental. Other key types or any other OpenSSH functionality are not affected by this flaw. A possible mitigation for this flaw is to NOT use XMSS keys for SSH.