Rewterz Threat Advisory – CVE-2018-10933 – libSSH authentication bypass vulnerability

Friday, October 19, 2018

A serious bug is found in SSH library that lets unauthorized people login without asking for credentials.

 

 

IMPACT:  HIGH

 

 

PUBLISH DATE:  19-10-2018

 

 

OVERVIEW

 

 

A vulnerability in libssh’s server-side state machine before versions 0.7.6 and 0.8.4 could lead to creation of channels without first performing authentication. This way, people with malicious intent can acquire unauthorized access.

 

 

ANALYSIS

 

 

LibSSH is possibly the most widely deployed remote access protocol in the world. Unix and Linux servers use SSH for remote administration. SSH stands for secure shell, where the term shell is Unix-speak for a command prompt, the place where most Unix-style functions of system administration are performed. The functions can be performed either by a logged-in human manually, or automatically via a logged-in script.

 

The vulnerability found in the libSSH can only affect applications that use libssh to implement an SSH server whereas SSH client functionality is not affected. For example, no packages in Red Hat Enterprise Linux 6 and prior use libssh to implement an SSH server and therefore remain unaffected by this vulnerability. Moreover, this issue does not affect libssh2 or openssh.

 

Since customers and third-party codes use the libssh library, any code using the ssh_bind* functions may be affected by this flaw.

 

The issue is important because the library is used to create a secure tunnel for encrypted communication between two computers on the internet. Secure file transfer between servers, and secure data synchronization between data centers also make use of the libssh library.

 

Libssh is used as the SSH server of one giant platform, Microsoft’s GitHub source code repository. The risk of unauthorized access for such platforms using libssh as their SSH server is quite considerable.

 

The following snap from nakedsecurity shows how a client can successfully login just by talking to the server. The bug confuses the server in a peculiar way, in which the client can tell the server that authentication has been successful, instead of the server giving access to the client after careful verification of credentials.

 

 

 

 

AFFECTED PRODUCTS

 

 

Libssh server-side state machine before versions 0.7.6 and 0.8.4

 

 

UPDATES

 

 

This vulnerability has been addressed in libssh versions 0.8.4 and 0.7.6, so it is important to update servers once server distributions release patches. Additionally, if software creators implement the libssh library in server mode, they should update to the latest version of the library.

 

 

If you think you’re the victim of a cyber-attack, immediately send an e-mail to soc@rewterz.com

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 15, November 2018 Rewterz Threat Advisory – Microsoft Windows Server 2008 and Windows 7 multiple vulnerabilities
  • 15, November 2018 Rewterz Threat Advisory – CVE-2018- 8416 – Microsoft .NET core security bypass vulnerability
  • 14, November 2018 Rewterz Threat Advisory – CVE-2018-8256 & CVE-2018-8415 – Windows PowerShell Multiple Vulnerabilities
  • 14, November 2018 Rewterz Threat Advisory – Microsoft Windows Server 2019 Multiple Vulnerabilities

Copyright © Rewterz. All rights reserved.