Hacker: I’m logged in. New LibSSH Vulnerability: OK! I believe you.

Newly released versions of the libssh library fix an authentication bypass flaw that grants access to the server by just telling it that the procedure was a success.

The libssh library enables support of the Secure Shell (SSH) protocol in applications, allowing an encrypted connection between clients and servers.

Discovered by Peter Winter-Smith of NCC Group, the vulnerability received the identification number CVE-2018-10933 and it affects the server part of libssh.

Laughably easy to exploit is an understatement

Leveraging it is a simple matter of presenting the server with the  SSH2_MSG_USERAUTH_SUCCESS message, which shows that the login already occurred without a problem.

The server expects the message SSH2_MSG_USERAUTH_REQUEST to start the authentication procedure, but by skipping it an attacker can log in without showing any credentials.

The trick is possible in library versions 0.6 and above, and there is no workaround available, informs an advisory on Thursday from the libssh team. The issue has been addressed in revisions 0.8.4 and 0.7.6 of the library.

Tally of affected servers unknown

A quick search for ‘libssh’ on Shodan shows that the libary is present on more than 6,000 systems available online. Amit Serper, head of research at security company Cybereason, filtered the results by introducing the default SSH port in the query, which dropped the number to around 3,000.

It is important to note that these searches make no distinction between the various versions of libssh running on machines connected to the internet. The results showed that some of them used versions lower than 0.6, which are not affected by CVE-2018-10933, but include other bugs.

Code on GitHub is safe

One organization that relies on libssh is GitHub, albeit a custom implementation that does not use the SSH2_MSG_USERAUTH_SUCCESS message for authentication based on public key authentication method.

“Patches have been applied out of an abundance of caution, but [GitHub Enterprise] was never vulnerable to CVE-2018-10933,” the company tweeted.

The simplicity of the bypass has not gone unnoticed, one user comparing it to a Jedi mind trick for the hacker world:

Some of them liken the vulnerability to tricks seen in cartoons:


Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top