Over-Hyped libssh vulnerability

A four-year-old vulnerability in libssh, a library used to implement the Secure Shell (SSH) authentication protocol, could allow malicious actors an easy access to servers with full administrative control.

A security consultant Peter Winter-Smith at NCC Group is the first one to discover the authentication bypass flaw (CVE-2018-10933) in libSSH.

Using the vulnerability, the attackers can bypass authentication procedures and gain access to a server enabled with an SSH connection without entering the password.

This could be done by sending the SSH server “SSH2_MSG_USERAUTH_SUCCESS” message instead of the “SSH2_MSG_USERAUTH_REQUEST” message.

Due to a coding error, the message “SSH2_MSG_USERAUTH_SUCCESS” is interpreted as the “authentication has already taken place” and it grants access to the server.

On June this year, he informed the libSSH team about the flaw, and the patch for the vulnerability was coded in mid-September and the update was released Oct. 16.

However, until now there are no signs of any major sites being affected by the flaw. While,  it is reported that Github support libssh, but its security team has clarified that their site is unaffected by the vulnerability.

“We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for. Patches have been applied out of an abundance of caution, but [GitHub Enterprise] was never vulnerable to CVE-2018-10933,” the company said on Twitter.

“I suspect this will end up being a nomination for the most overhyped bug, since half the people on Twitter seem to worry that it affects OpenSSH and the other half (quite correctly!) worry that GitHub uses libssh, when in fact GitHub isn’t vulnerable,” Winter-Smith said.

 “Remove GitHub and my guess is you’ll be left with a small handful of random sftp servers or IoT devices and little else!” he further added.

According to the security researcher, the best way to avoid any kind of flaw is to update the libSSH library to version 0.7.6 or higher.

Here are some of the additional details about the bug as provided by  the researcher Winter-Smith

“The issue is basically a bug in the libssh library, not to be confused with the similarly named libssh2 or OpenSSH projects (especially the latter) which results from the fact that the server uses the same state machine to authenticate clients and servers.

The message dispatching code that processes messages either in client mode or server mode (it’s the same function) doesn’t make sure that the message type received is suitable for the mode it’s running in. So, for example, the server will dispatch messages which are only intended by design for processing client side, even when running in server mode.

The SSH2_MSG_USERAUTH_SUCCESS message is used by the server to inform the client that they were authenticated successfully, it updates the internal libssh state machine to mark the client as being authenticated with the server. What I found was that if the exact same message is sent to the server it updates the state machine to tell the server the client is authenticated.

Technically: I would say that it’s surprising how fairly straightforward bugs with serious consequences can still lurk, and sometimes it pays to take a step back from fuzzing to try to understand how a protocol implementation works.”

Leave a Reply