CVE-2020-11939: 
NixOS vulnerability analysis and mitigation

The vulnerability CVE-2020-11939 affects nDPI through version 3.2 Stable, specifically in its SSH protocol dissector implementation. The vulnerability involves multiple KEXINIT integer overflows that result in a controlled remote heap overflow in the concathashstring function within ssh.c. This security flaw was discovered in March 2020 and publicly disclosed in April 2020 (GitHub Security Lab).

The vulnerability stems from multiple integer overflow vulnerabilities in the SSH protocol dissector's handling of KEXINIT messages. The issue occurs when processing both server-to-client and client-to-server directions, where the code maintains a 16-bit unsigned integer offset variable that can be manipulated through controlled length values. The vulnerability specifically manifests in the concathashstring function in ssh.c, where arithmetic operations on the offset variable can lead to integer wraparound, bypassing intended bounds checks (GitHub Security Lab). The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can be exploited to achieve full Remote Code Execution (RCE) against any network inspection stack that is linked against nDPI and uses it to perform network traffic analysis. The granular nature of the overflow primitive and the ability to control both the contents and layout of the nDPI library's heap memory through remote input makes this a particularly severe vulnerability (GitHub Security Lab).

The vulnerability was patched in nDPI through a commit that addresses the integer overflow issues. The fix involves changing the offset variable from a 16-bit to a 32-bit unsigned integer and adding additional overflow checks in the concathashstring function (GitHub Commit).