libssh Buffer Underflow Vulnerability in GSSAPI Authentication Logging

A buffer underflow vulnerability has been identified in the libssh API function ssh_get_hexa(). This issue arises when zero-length input is provided, leading to improper handling of the input data. The vulnerability is present in libssh versions 0.12.0 and 0.11.4. The affected function is used internally by ssh_get_fingerprint_hash() and the deprecated ssh_print_hexa(), both of which are susceptible to the same input issue. Additionally, the vulnerability can be triggered remotely during GSSAPI authentication if the server allows this authentication method and the logging verbosity is set to SSH_LOG_PACKET (3) or higher. Exploitation of this vulnerability could result in a self-induced denial-of-service condition, causing the per-connection daemon process to crash or restart.

Impact

Exploitation of this vulnerability leads to a buffer underflow, causing memory corruption that could disrupt the normal operation of the affected process. Such corruption may be leveraged for arbitrary code execution, particularly if the manipulated memory can be controlled effectively.

Remediation

To address this vulnerability, GSSAPI authentication can be disabled by setting GSSAPIAuthentication to 'no' in the sshd_config file. Alternatively, the logging verbosity can be reduced to a level lower than SSH_LOG_PACKET, such as 'INFO'. After making these changes, the sshd service should be restarted to apply the modifications, which may temporarily disrupt active SSH sessions.