CVE-2020-1730

EUVD-2020-12576
A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
redhatCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
Affected Products (NVD)
VendorProductVersion
libsshlibssh
0.8.0 ≤
𝑥
< 0.8.9
libsshlibssh
0.9.0 ≤
𝑥
< 0.9.4
netappcloud_backup
-
canonicalubuntu_linux
18.04
canonicalubuntu_linux
19.10
redhatenterprise_linux
8.0
oraclemysql_workbench
𝑥
≤ 8.0.21
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libssh
bookworm
0.10.6-0+deb12u1
fixed
bookworm (security)
0.10.6-0+deb12u1
fixed
bullseye
0.9.8-0+deb11u1
fixed
bullseye (security)
0.9.8-0+deb11u1
fixed
jessie
not-affected
sid
0.11.1-1
fixed
stretch
not-affected
trixie
0.11.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libssh
bionic
Fixed 0.8.0~20170825.94fa1e38-1ubuntu0.6
released
eoan
Fixed 0.9.0-1ubuntu1.4
released
trusty
dne
xenial
not-affected
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1730
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2A7BIFKUYIYKTY7FX4BEWVC2OHS5DPOU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VLSWHBQ3EPKGTGLQNH554Z746BJ3C554/
https://security.netapp.com/advisory/ntap-20200424-0001/
https://usn.ubuntu.com/4327-1/
https://www.libssh.org/security/advisories/CVE-2020-1730.txt
https://www.oracle.com/security-alerts/cpuoct2020.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1730
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2A7BIFKUYIYKTY7FX4BEWVC2OHS5DPOU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VLSWHBQ3EPKGTGLQNH554Z746BJ3C554/
https://security.netapp.com/advisory/ntap-20200424-0001/
https://usn.ubuntu.com/4327-1/
https://www.libssh.org/security/advisories/CVE-2020-1730.txt
https://www.oracle.com/security-alerts/cpuoct2020.html