Vulnerability Details : CVE-2023-28113
russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality. Connections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping. Most other implementations reject such keys, so this is mainly an interoperability issue in such a case. This issue is fixed in versions 0.36.2 and 0.37.1
Vulnerability category: Input validation
Products affected by CVE-2023-28113
- cpe:2.3:a:russh_project:russh:*:*:*:*:*:rust:*:*
- cpe:2.3:a:russh_project:russh:0.37.0:-:*:*:*:rust:*:*
- cpe:2.3:a:russh_project:russh:0.37.0:beta1:*:*:*:rust:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-28113
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-28113
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST | |
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-28113
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Secondary)
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by: nvd@nist.gov (Primary)
-
The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2023-28113
-
https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg
russh may use insecure Diffie-Hellman keys · Advisory · warp-tech/russh · GitHubExploit;Vendor Advisory
-
https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76
russh/groups.rs at master · warp-tech/russh · GitHubProduct
-
https://github.com/warp-tech/russh/releases/tag/v0.37.1
Release v0.37.1 · warp-tech/russh · GitHubRelease Notes
-
https://github.com/warp-tech/russh/releases/tag/v0.36.2
Release v0.36.2 · warp-tech/russh · GitHubRelease Notes
-
https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81
russh/groups.rs at master · warp-tech/russh · GitHubProduct
-
https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e
GHSA-cqvm-j2r2-hwpg validate DH key range · warp-tech/russh@d831a37 · GitHubPatch
Jump to