Twisted is a popular event-driven networking framework for Python, widely used for building servers, clients, and networking tools. But in early 2022, a serious vulnerability was discovered: CVE-2022-21716. This post breaks down what happened, shows a simple exploit, explains the impact, and tells you how to fix it.

What is CVE-2022-21716?

The vulnerability is found in Twisted's implementation of the SSH protocol—used for secure remote logins and file transfers. Specifically, the bug affects how Twisted handles the SSH version identification string during the handshake process.

The Core Issue

When a computer connects to an SSH server, it first sends a version string (like SSH-2.-OpenSSH_8.1). Twisted's SSH client and server did not set any upper limit on how long this string could be. That means a remote client (or server) could send endless data, and Twisted would keep reading it all into memory—eventually exhausting system resources.

The heart of the problem is in this code (simplified for clarity)

def dataReceived(self, data):
    # Buffer keeps collecting incoming data...
    self._buffer += data
    # code tries to find '\n' to end version identifier
    if b'\n' in self._buffer:
        # Normal processing...

If the newline \n never arrives, the buffer keeps growing without limit.

Exploit: How Simple Is the Attack?

Incredibly simple. Anyone can exploit a Twisted SSH server using just netcat and a big data source:

nc -rv localhost 22 < /dev/zero

nc (netcat) connects to the server on port 22 (SSH).

- /dev/zero is an endless stream of null bytes.
- The SSH server expects an identification string ending with a newline, but the attacker never sends it.

What happens?  
Twisted happily reads all incoming data, never hitting a boundary—eventually, all the server's memory gets used up, possibly leading to a crash or making the system unresponsive.

Why Is This Dangerous?

Because anyone can do it, and it does not require authentication. You don't need to log in, guess passwords, or exploit complex protocol states. It's pre-authentication and can be abused by anyone who can connect to the SSH port.

What’s the Fix?

The Twisted dev team released a patch in version 22.2.. The fix is simple—set a maximum length for the SSH version identifier (as required by the SSH specification, usually 255 characters).

Here's a simple conceptual fix

MAX_VERSION_STRING_LENGTH = 255

def dataReceived(self, data):
    self._buffer += data
    if len(self._buffer) > MAX_VERSION_STRING_LENGTH:
        self.transport.loseConnection()  # Disconnect the abuser!
    elif b'\n' in self._buffer:
        # Safe to process the version string...

Upgrade your Twisted packages as soon as possible to 22.2. or newer!

No Workarounds

If you can't upgrade, there's no official workaround available. The only practical mitigation is to restrict access to your SSH service (e.g., via firewalls) to trusted users until you can upgrade.

References

- Official Twisted Security Advisory
- CVE Database Entry
- Twisted GitHub Repository

Upgrade Twisted via pip

pip install --upgrade twisted

Confirm the version

python -c "import twisted; print(twisted.__version__)"


Make sure it prints 22.2. or higher.

Final Word

The lesson: Even mature libraries can contain simple but severe bugs! If you run any SSH service based on Twisted (including custom Python applications), upgrade now to avoid denial-of-service risks from this vulnerability.

If you want to dig deeper into the technical details, be sure to read the Twisted advisory.

Timeline

Published on: 03/03/2022 21:15:00 UTC
Last modified on: 07/03/2022 03:15:00 UTC