PSIRT Advisory

libssh2 integer overflow and out of bounds read/write vulnerabilities

Summary

Multiple integer overflow and out of bounds read/write vulnerabilities in the SSL VPN web-mode SSH client may allow an unauthenticated attacker to cause the SSL VPN user session to break (Denial of service) and possibly to run arbitrary code via specially crafted packets sent from a malicious SSH server.


This concerns the following CVEs on a precaution basis:

* CVE-2019-3855 integer overflow when reading a specially crafted packet

* CVE-2019-3856 integer overflow if the server sent an extremely large number of keyboard prompts

* CVE-2019-3857 integer overflow when receiving a specially crafted exit signal message channel packet

* CVE-2019-3858 zero byte allocation when reading a specially crafted SFTP packet

* CVE-2019-3859 out of bounds reads in _libssh2_packet_require(v)

* CVE-2019-3860 out of bounds reads when processing specially crafted SFTP packets

* CVE-2019-3861 out of bounds read when processing a specially crafted packet

* CVE-2019-3862 out of bounds read when receiving a specially crafted exit status message channel packet

* CVE-2019-3863 integer overflow in userauth_keyboard_interactive with a number of extremely long prompt strings

Impact

Buffer Overflows

Affected Products

FortiOS 6.2.0

FortiOS 6.0.0 to 6.0.6

FortiOS 5.6.0 to 5.6.10

other versions are not impacted.

Solutions

There is no known exploit for these vulnerabilities and the affected FortiOS code was patched on 5.6.11, 6.0.7 and 6.2.1, by measure of precaution.


Workarounds:


Do not access SSH server using SSH client in SSL VPN web-mode if the remote SSH server is operating under an untrusted environment.