Libssh authentication bypass leaves servers open to attacks

Walden Systems Geeks Corner News Libssh authentication bypass leaves servers open to attacks cloud security Rutherford NJ New Jersey NYC New York North Bergen County
CielView-Server minimizes redundancy in computing resources while allowing users remote desktop access to virtualized user Desktops. CielView-Desktop provides customized solutions to each user in an organization

There's a bug that is over four years old in the Secure Shell implementation known as libssh that makes it easy for anyone to gain administrative control of a vulnerable server. While the authentication bypass flaw represents a major security hole that should be patched immediately, it wasn't immediately clear what sites or devices were vulnerable since neither the widely used OpenSSH nor Github's implementation of libssh was affected. The vulnerability, which was released in libssh version 0.6 in 2014, makes it possible to log in by sending a server a SSH2_MSG_USERAUTH_SUCCESS message rather than the SSH2_MSG_USERAUTH_REQUEST message the server was expecting. The last time the world saw an authentication bypass bug with such serious consequences and requiring so little effort was a year ago, when Apple's MacOS let people log in as admin without entering a password.

The effects of any attacks if any, aren't known. In a worst-case scenario, hackers would be able to use the exploit to gain complete control over vulnerable servers. The hackers could steal encryption keys and user data, install root kits and erase logs that recorded the unauthorized access. Anyone who has used a vulnerable version of libssh in server mode should consider conducting a thorough audit of their network immediately after updating. So far, there were no immediate reports of any large sites being attacked by the exploit, which the National Institute of Standards and technology tagged CVE-2018-10933. While Github uses libssh, the site officials stated that they are unaffected by CVE-2018-10933 due to how they use the library. In a follow-up tweet, GitHub security officials said they use a customized version of libssh that implements an authentication mechanism separate from the one provided by the library. To be cautious, GitHub installed a patch after the NIST published the vulnerability in it's National Vulnerability Database.


Projects that publicly stated that they use the libssh include KDE, which uses it to implement the sftp module to allow secure file transfers between different computers. Another one is KDE X2Go, which uses the SSH library to secure the connection to a remote X desktop. It's not clear if these implementations are affected.

The flaw was fixed with libssh versions 0.8.4 or 0.7.6. Developers using server mode implementations should do a careful audit of their systems to uncover any vulnerable instances. Anyone who runs a vulnerable version of libssh should patch immediately. And anyone who used the app to receive incoming connections from untrusted users should also consider closely examining their servers for signs of compromise. So far, all indications are that the number of devices affected by this high-severity bug appear to be relatively small.