CVE-2020-1730

A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
redhatCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 24%
VendorProductVersion
libsshlibssh
0.8.0 ≤
𝑥
< 0.8.9
libsshlibssh
0.9.0 ≤
𝑥
< 0.9.4
netappcloud_backup
-
canonicalubuntu_linux
18.04
canonicalubuntu_linux
19.10
redhatenterprise_linux
8.0
oraclemysql_workbench
𝑥
≤ 8.0.21
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libssh
bullseye (security)
0.9.8-0+deb11u1
fixed
bullseye
0.9.8-0+deb11u1
fixed
stretch
not-affected
jessie
not-affected
bookworm
0.10.6-0+deb12u1
fixed
bookworm (security)
0.10.6-0+deb12u1
fixed
sid
0.11.1-1
fixed
trixie
0.11.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libssh
eoan
Fixed 0.9.0-1ubuntu1.4
released
bionic
Fixed 0.8.0~20170825.94fa1e38-1ubuntu0.6
released
xenial
not-affected
trusty
dne
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1730
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2A7BIFKUYIYKTY7FX4BEWVC2OHS5DPOU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VLSWHBQ3EPKGTGLQNH554Z746BJ3C554/
https://security.netapp.com/advisory/ntap-20200424-0001/
https://usn.ubuntu.com/4327-1/
https://www.libssh.org/security/advisories/CVE-2020-1730.txt
https://www.oracle.com/security-alerts/cpuoct2020.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1730
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2A7BIFKUYIYKTY7FX4BEWVC2OHS5DPOU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VLSWHBQ3EPKGTGLQNH554Z746BJ3C554/
https://security.netapp.com/advisory/ntap-20200424-0001/
https://usn.ubuntu.com/4327-1/
https://www.libssh.org/security/advisories/CVE-2020-1730.txt
https://www.oracle.com/security-alerts/cpuoct2020.html