libssh security vulnerability, vendor updates and POC exploit

libssh issued an important security and maintenance release earlier this week to address a critical authentication bypass vulnerability (CVE-2018-10933).

An excerpt of the threat as described in a libssh blog post:

“libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.”

The libssh bug was disclosed on Tuesday, October 16th. Numerous vendors followed up with security updates for products impacted by the libssh bug, to include Red Hat, F5 and Cisco. 

Red Hat said that only libssh shipped in Red Hat Enterprise Linux 7 Extras was affected by the vulnerability.  The issue also did not affect libssh2 or openssh.

“This issue can only be affect applications that use libssh to implement an SSH server; SSH client functionality is not affected. No packages in Red Hat products use libssh to implement an SSH server. Therefore, no package from Red Hat that uses the libssh library is affected by this flaw,” Red Hat added. 

Cisco issued on Friday a critical security update on the libssh bug and is “investigating its product line to determine which products may be affected by this vulnerability.” No patches or workarounds were yet made available as of early Saturday, but Cisco said they will update the advisory with any new information pertaining to the libssh vulnerability and impact to its products. 

ZDNet reported on Saturday that new libssh proof-of-concept (POC) code has been discovered in GitHub as well. 

Leave a Reply