Vulnerability Details : CVE-2019-16905
Potential exploit
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.
Vulnerability category: OverflowMemory Corruption
Products affected by CVE-2019-16905
- cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:scalance_x204rna_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:scalance_x204rna_ecc_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
Threat overview for CVE-2019-16905
Top countries where our scanners detected CVE-2019-16905
Top open port discovered on systems with this issue
22
IPs affected by CVE-2019-16905 6,244,776
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2019-16905!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-16905
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 40 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-16905
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.4
|
MEDIUM | AV:L/AC:M/Au:N/C:P/I:P/A:P |
3.4
|
6.4
|
NIST | |
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2019-16905
-
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-16905
-
https://www.openwall.com/lists/oss-security/2019/10/09/1
oss-security - Announce: OpenSSH 8.1 releasedMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20191024-0003/
CVE-2019-16905 OpenSSH Pre-Auth Integer Overflow Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://0day.life/exploits/0day-1009.html
OpenSSH Pre-Auth XMSS - Integer Overflow | 0dayExploit;Third Party Advisory
-
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c.diff?r1=1.5&r2=1.6&f=h
src/usr.bin/ssh/sshkey-xmss.c - diff - 1.6Patch
-
https://ssd-disclosure.com/archives/4033/ssd-advisory-openssh-pre-auth-xmss-integer-overflow
SSD Advisory - OpenSSH Pre-Auth XMSS Integer Overflow - SSD Secure DisclosureExploit;Third Party Advisory
-
https://security.gentoo.org/glsa/201911-01
OpenSSH: Integer overflow (GLSA 201911-01) — Gentoo securityThird Party Advisory
-
https://bugzilla.suse.com/show_bug.cgi?id=1153537
Bug 1153537 – VUL-1: CVE-2019-16905: openssh: when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS keyIssue Tracking;Third Party Advisory
-
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c
CVS log for src/usr.bin/ssh/sshkey-xmss.cRelease Notes;Vendor Advisory
-
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
Third Party Advisory
-
https://www.openssh.com/releasenotes.html
OpenSSH: Release NotesRelease Notes
Jump to