Pre-auth DoS in rush SSH keyboard-interactive auth via unbounded allocation (CVE-2024-4218)

Vulnerability Overview Title: Pre-auth DoS via unbounded allocation in keyboard-interactive auth Description: A pre-authentication denial-of-service (DoS) vulnerability exists in the keyboard-interactive authentication handler of the server. A malicious client can cause a -based server to crash by sending a crafted single packet without providing credentials. Vulnerability Details: In the file, the function decodes a count from the client's and passes it directly to . An attacker can send a minimal packet containing (268M) or larger (approximately 50 bytes when encrypted). The server attempts to allocate (i.e., bytes), resulting in an Out-Of-Memory (OOM) crash. Attack Flow: 1. The attacker establishes a TCP connection and completes the key exchange (no credentials required). 2. The attacker sends a with the method set to . 3. The server handler returns , prompting for credentials (standard 2FA/TOTP). 4. The attacker sends a with and no response data. 5. The server calls , leading to an OOM crash. Affected Configuration: Any server that implements and returns . Downstream projects using for multi-step authentication (e.g., TOTP/2FA) are also affected. Scope of Impact Affected Versions: - : - : Fixed Versions: - : - : CVSS v3 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Confidentiality: None - Integrity: None - Availability: High CVE ID: CVE-2024-4218 Remediation Recommended Fix: Limit the allocation of to what can actually be contained within the remaining packet data. Each response requires at least 4 bytes (length prefix). Fix Code: Confirmed End-to-End PoC: A complete Docker setup includes a PoC that confirms the OOM crash. A minimal server returning is used for keyboard-interactive authentication. A Python client (used for key exchange) sends a malformed . The container memory limit is set to 512MB; the server crashes due to OOM (exit code 137). PoC Code: Fix Code: Fix Effect: Limits allocations to within the packet size (up to 256KB), while preserving existing behavior for well-formed packets. The fix has been implemented, tested, and contributed via a temporary private branch. Severity: Pre-authentication, remote, no credentials required, causes server process crash, affecting all active sessions. CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)

Goal Reached Thanks to every supporter — we hit 100%!

Pre-auth DoS in rush SSH keyboard-interactive auth via unbounded allocation (CVE-2024-4218)

More from this source