CVE-2020-11939

In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KEXINIT integer overflows that result in a controlled remote heap overflow in concat_hash_string in ssh.c. Due to the granular nature of the overflow primitive and the ability to control both the contents and layout of the nDPI library's heap memory through remote input, this vulnerability may be abused to achieve full Remote Code Execution against any network inspection stack that is linked against nDPI and uses it to perform network traffic analysis.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/ntop/nDPI/commit/7ce478a58b4dd29a8d1e6f4e9df2f778613d9202	Patch Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2020-051_052-ntop-ndpi	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ntop:ndpi:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-04-23 15:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-11939

Mitre link : CVE-2020-11939

CVE.ORG link : CVE-2020-11939

JSON object : View

Products Affected

ntop

ndpi

CWE

CWE-190

Integer Overflow or Wraparound

CWE-787

Out-of-bounds Write

{"id": "CVE-2020-11939", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-04-23T15:15:14.093", "references": [{"url": "https://github.com/ntop/nDPI/commit/7ce478a58b4dd29a8d1e6f4e9df2f778613d9202", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://securitylab.github.com/advisories/GHSL-2020-051_052-ntop-ndpi", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KEXINIT integer overflows that result in a controlled remote heap overflow in concat_hash_string in ssh.c. Due to the granular nature of the overflow primitive and the ability to control both the contents and layout of the nDPI library's heap memory through remote input, this vulnerability may be abused to achieve full Remote Code Execution against any network inspection stack that is linked against nDPI and uses it to perform network traffic analysis."}, {"lang": "es", "value": "En nDPI versiones hasta 3.2 Stable, el disector del protocolo SSH tiene m\u00faltiples desbordamientos de enteros KEXINIT que resultan en un desbordamiento de la pila (heap) remoto controlado en la funci\u00f3n concat_hash_string en el archivo ssh.c. Debido a la naturaleza granular de la primitiva de desbordamiento y la capacidad de controlar tanto el contenido como el dise\u00f1o de la memoria de la pila (heap) de la biblioteca de nDPI por medio de una entrada remota, se puede abusar de esta vulnerabilidad para lograr una Ejecuci\u00f3n de C\u00f3digo Remota completa contra cualquier pila de inspecci\u00f3n de red que est\u00e9 vinculada contra nDPI y lo usa para realizar an\u00e1lisis de tr\u00e1fico de red."}], "lastModified": "2021-07-21T11:39:23.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ntop:ndpi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97EDB1C6-9886-4C0B-8F09-5A4C52DC5A45", "versionEndIncluding": "3.2"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}