Posted on October 17, 2018 at 2:25 PM
New reports claim that a security flaw was found in libssh, a popular library used for supporting the SSH authentication protocol. According to experts, such a flaw has the potential to endanger thousands of enterprise servers, and leave them vulnerable to hijacking.
Due to this flaw, attackers can easily bypass authentication procedures implemented as a level of server protection. In doing so, attackers could get access to servers with enabled SSH connection. In such a scenario, a potential hacker could completely eliminate any need for a password.
In case of an attack, hackers can send a false message to servers. Instead of the message being “SSH2_MSG_USERAUTH_REQUEST” hackers could change it into “SSH2_MSG_USERAUTH_SUCCESS”. As a result, the server would grant them access instead of questioning their identity.
In short, servers can be tricked into thinking that the authentication process has already taken place.
That's basically it, yeah.
— svbl (@svblxyz) October 16, 2018
The situation may not be as bad as it sounds
The vulnerability was named CVE-2018-10933, and its origins were tracked to a libssh 0.6.0 update that was released in January 2014. Soon after its discovery, the libssh team released two new versions that will patch the flaw. These versions include 0.8.4 and 0.7.6, which were released yesterday.
The bug itself was originally discovered by NCC Group’s Peter Winter-Smith. Additionally, Cybereason’s head of security research, Amit Serper, estimated that the library affected around 3,000 servers.
Errrr…. Uh-oh. pic.twitter.com/E4L6JInc0j
— Amit Serper (@0xAmit) October 16, 2018
In terms of coding, the vulnerability is seen as an extremely bad. However, when it comes to real-world computing, the situation may not be so dire after all. This is due to the fact that most IoT devices, servers, and personal computers tend to implement openssh library instead of libssh.
Among the largest websites that are supporting libssh is GitHub, but its security team already confirmed that GitHub is not affected by the bug. This is a good news since if GitHub was vulnerable, anyone could have accessed both the source code, as well as the intellectual property of some of the largest firms in the world.
We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for. Patches have been applied out of an abundance of caution, but GHE was never vulnerable to CVE-2018-10933.
— GitHub Security (@GitHubSecurity) October 17, 2018
For now, it was only confirmed that the vulnerable code is present in libssh’s server-side code. What this means is that computers that have libssh-based SSH client are not in danger of having their systems accessed. That is unless the client is designed to also run as an SSH server. So far, no exploits have been reported. However, it is likely that additional reports will start appearing in the next several days.