Products from major vendors such as Red Hat, Ubuntu, and others are affected by a major vulnerability that came to light this week and which resides in the libssh library.
The vulnerability, which is tracked in infosec circles as CVE-2018-10933, is an authentication bypass in the libssh code that handles server-side login procedures.
Servers or software applications that use the libssh code to allow users to log into them via the SSH protocol are affected.
The vulnerability is trivial to exploit and requires an attacker sending an affected server an "SSH2_MSG_USERAUTH_SUCCESS" request to trick the server into thinking the user has already authenticated.
The libssh team disclosed the vulnerability on Tuesday, October 16, and initially, it wasn't clear how many products were affected, mainly because OpenSSH is a more popular library that's more regularly used for SSH authentication systems.
But throughout the week, some companies have stepped forward and published security advisories for products that use vulnerable versions of the libssh library. The first to go public was OS maker Red Hat.
"This vulnerability affects libssh shipped in Red Hat Enterprise Linux 7 Extras," the company said in an advisory.
Red Hat plans to update the libssh library version to a new one that's not affected. Apps running on Red Hat systems that relied on the OS' libssh library to support incoming SSH connections will be updated once the update goes live, or they could manually update the library themselves.
Ubuntu also confirmed in an advisory that Ubuntu 18.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS were affected.
SUSE, another Linux distro, also confirmed that SUSE Linux Enterprise Desktop 12 SP3, SUSE Linux Enterprise Module for Basesystem 15, SUSE Linux Enterprise Software Development Kit 12 SP3, SUSE Linux Enterprise Workstation Extension 12 SP3, openSUSE Leap 15.0, and openSUSE Leap 42.3, were also impacted.
F5 Netowkrs, a vendor of load balancers used to triage large quantities of internet traffic, initially said that its BIG-IP products were also impacted. However, after further investigations, the company updated its initial advisory to say that none of its products were affected. In an email to ZDNet, the company said it decided to err on the side of caution and provided mitigations while they looked into the issue.
Cisco has not gone on the record to confirm that its products are affected, but the company has started an investigation into a long list of products that apparently also use libssh. ZDNet readers can consult the full list of products and follow updates on Cisco's investigation via this security advisory.
At the time of writing, no vendor or cyber-security firm has come forward to confirm exploitation attempts that leverage this vulnerability. Nevertheless, it will not take long until actual hacks take place.
Over the course of the week, at least four proof-of-concept (PoC) scripts have been uploaded on GitHub [1, 2, 3, 4], along with a scanner that can allegedly find servers that rely on libssh for SSH authentication.
According to Leap Security, there are around 3,000 servers connected to the Internet that use the library, and roughly 1,800-1,900 of them use a vulnerable version of the libssh library.
"If you have servers present within your organization using libssh ensure they are all patched as soon as possible. This vulnerability is trending and easily exploited," said Leap Security in a blog post this week.
Article updated on October 30 with additional information from F5 Networks stating that none of its products were affected.
- Oracle patches 301 vulnerabilities, including 46 with a 9.8+ severity rating
- After two decades of PHP, sites still expose sensitive details via debug mode
- Chrome, Edge, IE, Firefox, and Safari to disable TLS 1.0 and TLS 1.1 in 2020
- Microsoft JET vulnerability still open to attacks, despite recent patch
- Microsoft Windows zero-day vulnerability disclosed through Twitter TechRepublic
- Flaws in telepresence robots allow hackers access to pictures, video feeds
- These popular Android phones came with vulnerabilities pre-installed CNET
- Zero-day in popular jQuery plugin actively exploited for at least three years