CVE-2023-1667: NULL Pointer Dereference in LibSSH Re-Keying Process with Algorithm Guessing

A newly discovered vulnerability (CVE-2023-1667) in the popular LibSSH library affects the re-keying process and might allow an attacker to trigger a NULL pointer dereference. This vulnerability can lead to a denial-of-service (DoS) attack, causing the SSH service to crash. In this article, we will analyze the vulnerability, discuss its potential impact on your systems, and highlight how to protect yourself from it.

Overview

The vulnerability targets the LibSSH library, which is a widely-used open-source library for implementing SSH functionality in software. According to the Common Vulnerabilities and Exposures (CVE) database, this vulnerability is identified as CVE-2023-1667.

The root cause of the vulnerability is a NULL pointer dereference error during the re-keying process, which happens when LibSSH negotiates a new encryption key with the connected client. Specifically, this issue occurs when the algorithm guessing step fails.

Here is a simplified code snippet showcasing the bug in the libssh library

void ssh_key_reexchange(ssh_session session) {
    // ...

    // Algorithm guessing
    if (client_algorithm_guess() == SSH_ERROR) {
        ssh_log(session,
                SSH_LOG_WARNING,
                "Algorithm guessing failed during rekeying");
        // Issue: NULL pointer dereference
        session->current_crypto->algos_c_to_s->finish(session);

        return;
    }

    // ...
}

As shown above, when the client_algorithm_guess() function returns an error (SSH_ERROR), the code proceeds to call the finish() method on an uninitialized/almost NULL session->current_crypto->algos_c_to_s pointer. This action triggers a NULL pointer dereference, resulting in a crash.

Exploit Details

An attacker can exploit this vulnerability by crafting a malicious authentication request so that the algorithm_guess() process fails during a re-keying. Once the SSH server has successfully authenticated the client, the attacker triggers a key renegotiation. If the crafted request causes a failure in the algorithm guessing step, the NULL pointer dereference will be triggered, and the SSH service will crash.

Impact

As stated before, this vulnerability can lead to a denial of service (DoS) attack, effectively crashing the SSH service. In scenarios where the LibSSH-based SSH service is crucial for remote access or management, a successful exploit could render systems and services inaccessible, causing significant operational disruptions. The exploitation requires an authenticated client, reducing the risk. However, it must still be taken seriously.

Mitigation

To protect against this vulnerability, ensure you are running the latest version of LibSSH. The developers have released a patch for the vulnerability, which is available in the official LibSSH repository. You can find the patch in the following commit: https://github.com/libssh/libssh/commit/9df97ec

Additionally, it is recommended to follow the Principle of Least Privilege (PoLP) and limit the number of users with SSH access to your systems.

Conclusion

The CVE-2023-1667 vulnerability reveals a NULL pointer dereference bug in LibSSH, affecting the re-keying process. Even though it requires authentication, the impact can still be severe for organizations relying on SSH access. Update your LibSSH library version to the patched version and follow security best practices to ensure the safety of your systems.

Timeline

Published on: 05/26/2023 18:15:00 UTC
Last modified on: 06/06/2023 15:02:00 UTC