Security flaw in libssh leaves thousands of servers at risk of hijacking

Vulnerability not as bad as it gets, as most servers use the openssh library to support server-side SSH logins.
Written by Catalin Cimpanu, Contributor

A vulnerability in libssh, a popular library for supporting the Secure Shell (SSH) authentication protocol, leaves thousands, if not more, of enterprise servers open to attacks.

The vulnerability allows an attacker to bypass authentication procedures and gain access to a server with an SSH connection enabled without having to enter the password.

An attacker can do this by sending the SSH server "SSH2_MSG_USERAUTH_SUCCESS" message instead of the "SSH2_MSG_USERAUTH_REQUEST" message that a server usually expects and which libssh uses as a sign that an authentication procedure needs to initiate.

Because of a coding error, when libssh receives the "SSH2_MSG_USERAUTH_SUCCESS" message, it will interpret this as the "authentication has already taken place" and will grant the attacker access to the local server.

The vulnerability, which is tracked as CVE-2018-10933, was introduced in libssh 0.6.0, released in January 2014. The libssh team released versions 0.8.4 and 0.7.6 yesterday to address this bug.

The bug was discovered by Peter Winter-Smith of NCC Group.

According to Amit Serper, head of security research at Cybereason, the library affects at least 3,000 servers, based on cursory search performed using the Shodan search engine.

The vulnerability is as bad as it gets in terms of coding, but it is not as bad as it gets in terms of impact on real-world computing.

The reason is that most servers, IoT devices, and personal computers prefer to implement SSH support via the openssh library instead of libssh.

One of the largest sites that supports libssh is GitHub, but the site's security team has already come forward to say they are not affected. GitHub uses libssh to provide an alternative SSH login method for enterprise customers. If GitHub's libssh-based login method was vulnerable, an attacker could have gained access to source code and intellectual property of the world's largest companies.

"We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for. Patches have been applied out of an abundance of caution, but [GitHub Enterprise] was never vulnerable to CVE-2018-10933," the company said on Twitter.

The vulnerable code is only present in libssh's server-side code, meaning that having a libssh-based SSH client installed on your computer won't allow an attacker access to your system unless the client is also configured to run as an SSH server.

There are no public exploits available for CVE-2018-10933, yet, but they are trivial to put together, so they're most likely to pop up online in the following days.


Editorial standards