Libssh library contains vulnerability that allows authentication bypass

A security researcher has found a leak in the libssh software library, which implements the ssh protocol. The vulnerability makes it possible to bypass authentication on a vulnerable server. The number of vulnerable servers is estimated at six thousand. Patches are available.

An advisory has been published on libssh.org that contains more details about the vulnerability with attribute CVE-2018-10933. For example, the vulnerability is present in versions 0.6 and above of the software, with the first vulnerable version released in January of 2014. According to the description, the server code contains a flaw that allows an attacker to send the message ‘SSH2_MSG_USERAUTH_SUCCESS’ to the server and thus authenticate. complete without using credentials. The leak’s discoverer, Peter Winter-Smith of the NCC Group, told Ars Technica that libssh is only vulnerable in ‘server mode’ and not in ‘client mode’.

The site publishes a Shodan search, which finds about 6,000 vulnerable servers. A search from security researcher Amit Serper, specified on port 22, yields about three thousand vulnerable servers. As a result, the consequences seem limited, also because the popularity of OpenSSH is greater. One of the biggest sites that use libssh in server mode is GitHub, but this one already let you know not be vulnerable by using a modified version of the library.

Patches are now available in the form of versions 0.8.4 and 0.7.6. Libssh is a software library written mainly in C that implements the ssh protocol. With ssh it is possible to set up a secure connection to, for example, a server to manage it remotely. An attacker who takes advantage of the current vulnerability is therefore able to access and take over a server.