FKIE_CVE-2024-43410

Vulnerability from fkie_nvd - Published: 2024-08-21 16:15 - Updated: 2025-08-13 18:32
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Russh is a Rust SSH client & server library. Allocating an untrusted amount of memory allows any unauthenticated user to OOM a russh server. An SSH packet consists of a 4-byte big-endian length, followed by a byte stream of this length. After parsing and potentially decrypting the 4-byte length, russh allocates enough memory for this bytestream, as a performance optimization to avoid reallocations later. But this length is entirely untrusted and can be set to any value by the client, causing this much memory to be allocated, which will cause the process to OOM within a few such requests. This vulnerability is fixed in 0.44.1.
References
security-advisories@github.comhttps://github.com/Eugeny/russh/commit/f660ea3f64b86d11d19e33076012069f02431e55Patch
security-advisories@github.comhttps://github.com/Eugeny/russh/security/advisories/GHSA-vgvv-x7xg-6cqgExploit, Vendor Advisory
Impacted products
Vendor Product Version
russh_project russh *
warpgate_project warpgate *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:russh_project:russh:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "9D88D02C-22D3-4C01-BEB7-BA3967189488",
              "versionEndExcluding": "0.44.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:warpgate_project:warpgate:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F311333F-14EB-455B-BCC0-9654E39CBA0E",
              "versionEndExcluding": "0.10.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Russh is a Rust SSH client \u0026 server library. Allocating an untrusted amount of memory allows any unauthenticated user to OOM a russh server. An SSH packet consists of a 4-byte big-endian length, followed by a byte stream of this length.\nAfter parsing and potentially decrypting the 4-byte length, russh allocates enough memory for this bytestream, as a performance optimization to avoid reallocations later. But this length is entirely untrusted and can be set to any value by the client, causing this much memory to be allocated, which will cause the process to OOM within a few such requests. This vulnerability is fixed in 0.44.1."
    },
    {
      "lang": "es",
      "value": "Russh es una librer\u00eda de servidor y cliente Rust SSH. La asignaci\u00f3n de una cantidad de memoria que no es de confianza permite que cualquier usuario no autenticado utilice OOM en un servidor russh. Un paquete SSH consta de una longitud big-endian de 4 bytes, seguida de un flujo de bytes de esta longitud. Despu\u00e9s de analizar y potencialmente descifrar la longitud de 4 bytes, russh asigna suficiente memoria para este flujo de bytes, como optimizaci\u00f3n del rendimiento para evitar reasignaciones posteriores. Pero esta longitud no es de confianza y el cliente puede establecerla en cualquier valor, lo que provoca que se asigne tanta memoria, lo que provocar\u00e1 que el proceso entre en OOM dentro de unas pocas solicitudes de este tipo. Esta vulnerabilidad se solucion\u00f3 en 0.44.1."
    }
  ],
  "id": "CVE-2024-43410",
  "lastModified": "2025-08-13T18:32:43.660",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-08-21T16:15:08.373",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/Eugeny/russh/commit/f660ea3f64b86d11d19e33076012069f02431e55"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Eugeny/russh/security/advisories/GHSA-vgvv-x7xg-6cqg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.