Security flaw in libssh leaves thousands of servers at risk of hijacking

A vulnerability in libssh, a popular library for supporting the Secure Shell (SSH) authentication protocol, leaves thousands, if not more, of enterprise servers open to attacks. The vulnerability allows an attacker to bypass authentication procedures and gain access to a server with an SSH connection enabled without having to enter the password. An attacker can do this by sending the SSH server “SSH2_MSG_USERAUTH_SUCCESS” message instead of the “SSH2_MSG_USERAUTH_REQUEST” message that a server usually expects and which libssh uses as a sign that an authentication procedure needs to initiate.

Because of a coding error, when libssh receives the “SSH2_MSG_USERAUTH_SUCCESS” message, it will interpret this as the “authentication has already taken place” and will grant the attacker access to the local server.

The vulnerability, which is tracked as CVE-2018-10933, was introduced in libssh 0.6.0, released in January 2014. The libssh team released versions 0.8.4 and 0.7.6 yesterday to address this bug. The bug was discovered by Peter Winter-Smith of NCC Group.

According to Amit Serper, head of security research at Cybereason, the library affects at least 3,000 servers, based on cursory search performed using the Shodan search engine.

The vulnerability is as bad as it gets in terms of coding, but it is not as bad as it gets in terms of impact on real-world computing. The reason is that most servers, IoT devices, and personal computers prefer to implement SSH support via the openssh library instead of libssh. One of the largest sites that supports libssh is GitHub, but the site’s security team has already come forward to say they are not affected.

GitHub uses libssh to provide an alternative SSH login method for enterprise customers. If GitHub’s libssh-based login method was vulnerable, an attacker could have gained access to source code and intellectual property of the world’s largest companies. “We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for.

Patches have been applied out of an abundance of caution, but [GitHub Enterprise] was never vulnerable to CVE-2018-10933,” the company said on Twitter.

The vulnerable code is only present in libssh’s server-side code, meaning that having a libssh-based SSH client installed on your computer won’t allow an attacker access to your system unless the client is also configured to run as an SSH server.

There are no public exploits available for CVE-2019-10993, yet, but they are trivial to put together, so they’re most likely to pop up online in the following days.

RELATED COVERAGE:

Ambersil 30290-AA Flaw Detector Developer 3 Spray 400mlAmbersil Flaw Detector System - Ambersil 30290-AA, Flaw Detector Developer is a dispersion of a white powder in a fast evaporating solvent, giving a high contrast visual reference when used with bright red penetrant. Ambersil 30290-AA Flaw Detector Developer 3 Spray 400ml - More Info

Ambersil 30288-AA Flaw Detector Cleaner 1 Spray 400mlAmbersil Flaw Detector System - Ambersil 30288-AA, Buy Flaw Detector 1 Cleaner Spray 400ml from Ambersil - a fast drying, powerful degreasing solvent blend free of 1,1,1-trichloroethane or other chlorinated solvents for the removal of dirt, grime and contaminants. Designed for the pre-treatment of the surface, prior to liquid penetrant inspection and to remove all visible, coloured traces of the penetrant. Ambersil 30288-AA Flaw Detector Cleaner 1 Spray 400ml - More Info

Budget Master Key Cylinder SuiteIdeal for low risk interior applications. The Asec range of security cylinders offer a reasonable level of security and is a cheap and cheerful addition to the cylinder range when budget is a concern the Asec range offers good security at great prices. All the cylinders in this section have their own keys, but the master key will work o.. - More Info

ABUS ABDI53122 Hasp and stapleProtection of values/objects or at high risk of theft. The discus padlock and attacked principle combines high security with extremely high protection against corrosion. For use with an original ABUS hasp padlock.This text is machine translated. - More Info - EAN: 4003318053122

Asec Green Dome Exit ButtonAsec Green Dome Exit Button 2mm stainless steel mounting plates. Security screws and 25mm gang box included. Low profile switch at rear of plate.Tamper proof collar. Complies to risk assessment RA001... - More Info

You may also like...

       
Apps & Games Clothing Electronics & Photo Large Appliances
Baby Womens Apparel Garden Lighting
Beauty Mens Apparel Outdoors Luggage
Books Girls Apparel Health & Personal Care Pet Supplies
Car Boys Apparel Home Shoes & Bags
Motorbike Computers & Accessories Kitchen Equipment Sports & Outdoors
Fashion DIY & Tools Jewellery Toys & Games