libssh Denial-of-Service Vulnerability via Arbitrary File Access in Configuration Parsing

A denial-of-service vulnerability has been identified in libssh, where the library can be misled into opening arbitrary files during the parsing of configuration files. This issue arises when a local attacker provides a malicious configuration file or when the system is improperly configured. The vulnerability can cause the system to access harmful files, such as block devices or large system files, disrupting normal operations.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, causing the system to become unresponsive or to consume excessive resources.

Reproduction

The vulnerability can be reproduced by providing a malicious configuration file that is loaded from the default location or through the 'ssh_config_parse_file()' and 'ssh_bind_config_parse_file()' functions. Alternatively, the vulnerability can be triggered by misconfiguring the system to allow the libssh library to access dangerous files during configuration parsing.

Remediation

Users are advised to ensure that only regular files are used as configuration and to enforce a configuration file size limit of 16MB.