libssh2 1.8.2 release (Mar 25, 2019) Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-19-099 Final 1 1 2019-11-14T00:00:00 Current version 2019-11-14T00:00:00 2019-11-14T00:00:00 Multiple integer overflow and out of bounds read/write vulnerabilities in the SSL VPN web-mode SSH client may allow an unauthenticated attacker to cause the SSL VPN user session to break (Denial of service) and possibly to run arbitrary code via specially crafted packets sent from a malicious SSH server.This concerns the following CVEs on a precaution basis:CVE-2019-3855 integer overflow when reading a specially crafted packetCVE-2019-3856 integer overflow if the server sent an extremely large number of keyboard promptsCVE-2019-3857 integer overflow when receiving a specially crafted exit signal message channel packetCVE-2019-3858 zero byte allocation when reading a specially crafted SFTP packetCVE-2019-3859 out of bounds reads in _libssh2_packet_require(v)CVE-2019-3860 out of bounds reads when processing specially crafted SFTP packetsCVE-2019-3861 out of bounds read when processing a specially crafted packetCVE-2019-3862 out of bounds read when receiving a specially crafted exit status message channel packetCVE-2019-3863 integer overflow in userauth_keyboard_interactive with a number of extremely long prompt strings None Denial of service FortiOS 6.2.0FortiOS 6.0.0 to 6.0.6FortiOS 5.6.0 to 5.6.10other versions are not impacted. There is no known exploit for these vulnerabilities and the affected FortiOS code was patched on 5.6.11, 6.0.7 and 6.2.1, by measure of precaution.Workarounds:Do not access SSH server using SSH client in SSL VPN web-mode if the remote SSH server is operating under an untrusted environment. 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-19-099 libssh2 1.8.2 release (Mar 25, 2019) Reference>