CVE-2022-21716
📋 TL;DR
CVE-2022-21716 is a memory exhaustion vulnerability in Twisted's SSH client and server implementations. Attackers can send unlimited data during SSH version negotiation, causing the target system to consume all available memory and crash. This affects any system running vulnerable versions of Twisted with SSH enabled.
💻 Affected Systems
- Twisted
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Twisted by Twisted
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service through memory exhaustion, potentially causing system crashes and service unavailability.
Likely Case
Service disruption and denial of service affecting SSH connectivity and dependent applications.
If Mitigated
Limited impact with proper network segmentation and monitoring, but still vulnerable to DoS from authorized network segments.
🎯 Exploit Status
Simple network command (nc -rv localhost 22 < /dev/zero) can trigger the vulnerability. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.2.0
Vendor Advisory: https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx
Restart Required: Yes
Instructions:
1. Upgrade Twisted to version 22.2.0 or later using pip: pip install --upgrade twisted>=22.2.0
2. Restart all services using Twisted SSH functionality
3. Verify the upgrade with: python -c "import twisted; print(twisted.__version__)"
🔧 Temporary Workarounds
No known workarounds
allThe vendor advisory states there are no known workarounds. Patching is required.
🧯 If You Can't Patch
- Implement network-level controls to restrict SSH access to trusted sources only
- Monitor memory usage on systems running Twisted SSH services and implement alerting for abnormal consumption
🔍 How to Verify
Check if Vulnerable:
Check Twisted version: python -c "import twisted; print(twisted.__version__)" - if version is less than 22.2.0 and SSH functionality is enabled, system is vulnerable.Check Version:
python -c "import twisted; print(twisted.__version__)"Verify Fix Applied:
Verify Twisted version is 22.2.0 or higher: python -c "import twisted; print(twisted.__version__)" should show 22.2.0 or greater.📡 Detection & Monitoring
Log Indicators:
- Unusually large SSH version strings in logs
- Memory exhaustion alerts
- SSH service crashes or restarts
Network Indicators:
- Excessive data sent during SSH version negotiation
- Unusual traffic patterns to SSH port 22
SIEM Query:
source="*ssh*" AND (message="*memory*" OR message="*exhaust*" OR message="*crash*")🔗 References
- https://github.com/twisted/twisted/commit/89c395ee794e85a9657b112c4351417850330ef9
- https://github.com/twisted/twisted/releases/tag/twisted-22.2.0
- https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx
- https://lists.debian.org/debian-lts-announce/2022/03/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/
- https://security.gentoo.org/glsa/202301-02
- https://twistedmatrix.com/trac/ticket/10284
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/twisted/twisted/commit/89c395ee794e85a9657b112c4351417850330ef9
- https://github.com/twisted/twisted/releases/tag/twisted-22.2.0
- https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx
- https://lists.debian.org/debian-lts-announce/2022/03/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/
- https://security.gentoo.org/glsa/202301-02
- https://twistedmatrix.com/trac/ticket/10284
- https://www.oracle.com/security-alerts/cpuapr2022.html
