Russh SSH Library Integer Overflow Vulnerability in Channel Window Adjustment

A vulnerability exists in the Russh SSH client and server library, specifically in versions prior to 0.54.1. The issue arises in the handling of the channel window adjust message, which is used to monitor the available space in the receive buffer of a channel. The current implementation improperly adds the received value to an internal state, leading to a potential integer overflow. When Rust code is compiled with overflow checks, this will cause a panic, allowing a malicious client to crash a server. While this vulnerability can also affect clients, causing them to crash when targeted by a malicious server, the impact on servers is more significant as it can disrupt service.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition on the server, causing it to crash and potentially disrupt ongoing services. Additionally, a malicious server could exploit this vulnerability to crash an individual client, although this impact is less critical.

Reproduction

To reproduce this vulnerability, a customized SSH client would be needed to send a channel window adjust message containing a large value, such as the maximum value for a 32-bit unsigned integer. This would cause an integer overflow in the server's receive buffer management, leading to a crash. The vulnerability could be tested by deploying a server running Russh version 0.54.0 or below and then using the custom client to send the crafted message.

Remediation

Users can upgrade to Russh version 0.54.1 or later, where this vulnerability has been fixed.