CVE-2020-11939

Published: Apr 23, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KEXINIT integer overflows that result in a controlled remote heap overflow in concat_hash_string in ssh.c. Due to the granular nature of the overflow primitive and the ability to control both the contents and layout of the nDPI library's heap memory through remote input, this vulnerability may be abused to achieve full Remote Code Execution against any network inspection stack that is linked against nDPI and uses it to perform network traffic analysis.

Affected (1)

Products: Ntop: Ndpi

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ntop Ndpi	Up to 3.2

Related CWEs

Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

References (4)

https://github.com/ntop/nDPI/commit/7ce478a58b4dd29a8d1e6f4e9df2f778613d9202

Source: cve@mitre.org

PatchThird Party Advisory

https://securitylab.github.com/advisories/GHSL-2020-051_052-ntop-ndpi

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/ntop/nDPI/commit/7ce478a58b4dd29a8d1e6f4e9df2f778613d9202

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://securitylab.github.com/advisories/GHSL-2020-051_052-ntop-ndpi

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.