libssh, a popular library used for supporting the Secure Shell (SSH) authentication protocol, contains a vulnerability which allows an attacker to bypass authentication procedures and obtain access to servers with an SSH connection enabled. This reportedly leaves thousands of enterprise servers open to attacks.
This critical vulnerability was discovered by Peter Winter-Smith from NCC Group, who notified libssh about the issue privately.
The vulnerability, assigned as CVE-2018-10933, was introduced in libssh 0.6.0, which was released in January 2014.
A hacker could gain full access to a system, bypassing the authentication procedure with a single response. The attacker could perform this by sending the SSH server “SSH2_MSG_USERAUTH_SUCCESS” message instead of the “SSH2_MSG_USERAUTH_REQUEST" message that a server usually expects and uses as an indication to start the usual authentication procedure.
This occurs due to a coding error. When libssh receives the SSH2_MSG_USERAUTH_REQUEST" message, it will understand that authentication has already taken place, and will grant access to the local server.
According to Amit Serper, head of security research at Cybereason, the vulnerable library affects at least 3,000 servers, based on the search performed using the Shodan search engine. Most of the servers, IoT devices and PC’s prefer to implement SSH support via the OpenSSH library instead of libssh. This clearly makes the vulnerability more worse in terms of coding and less in terms of impact on real-world servers impacted.
The libssh also shows up in some of the important places like the Github. However, the Github security team said on Twitter that, "We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for. Patches have been applied out of an abundance of caution, but [GitHub Enterprise] was never vulnerable to CVE-2018-10933."
Patches for the vulnerability
The vulnerable code is only present in libssh’s server-side code, meaning that having a libssh-based SSH client installed on your computer will not allow the attacker to access the system. The client should also be configured to run as an SSH server for the attacker to exploit this vulnerability.
libssh has already released a newer version that fixes the vulnerability along with the details of the vulnerability. Users who have libssh installed and particularly using the server component can install the updates form the security advisory released by the company.