Vulnerability in LibSSH leaves servers wide open for hijackers

A four-year-old vulnerability in libssh, a library used to implement the Secure Shell (SSH) authentication protocol, could allow malicious actors an easy access to servers with full administrative control.

A security consultant Peter Winter-Smith at NCC Group is the first one to discover the authentication bypass flaw (CVE-2018-10933) in libSSH.

Using the vulnerability, the attackers can bypass authentication procedures and gain access to a server enabled with an SSH connection without entering the password.

This could be done by sending the SSH server “SSH2_MSG_USERAUTH_SUCCESS” message instead of the “SSH2_MSG_USERAUTH_REQUEST” message.

Due to a coding error, the message “SSH2_MSG_USERAUTH_SUCCESS” is interpreted as the “authentication has already taken place” and it grants access to the server.

On June this year, he informed the libSSH team about the flaw, and the patch for the vulnerability was coded in mid-September and the update was released Oct. 16.

However, until now there are no signs of any major sites being affected by the flaw. While,  it is reported that Github support libssh, but its security team has clarified that their site is unaffected by the vulnerability.

“We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for. Patches have been applied out of an abundance of caution, but [GitHub Enterprise] was never vulnerable to CVE-2018-10933,” the company said on Twitter.

 “I suspect this will end up being a nomination for the most overhyped bug, since half the people on Twitter seem to worry that it affects OpenSSH and the other half (quite correctly!) worry that GitHub uses libssh, when in fact GitHub isn’t vulnerable,” Winter-Smith said.

 “Remove GitHub and my guess is you’ll be left with a small handful of random sftp servers or IoT devices and little else!” he further added.

According to the security researcher, the best way to avoid any kind of flaw is to update the libSSH library to version 0.7.6 or higher.

Leave a Reply