Hey folks, thought I’d share this vulnerability here as I know many of you manage a lot of servers for yourselves and clients. The fix will landing in all the main distros soon
This is an important security and maintenance release in order to address CVE-2018-10933.
libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.
I’ve been trying to work out (a) the potential impact of this, ie how it could be exploited and (b) which if any servers this effects… and I haven’t got very far, on (b), on our Debian Stretch servers we only have libssh2 installed:
I heard that libssh is used on some specific deployments e.g. Github git over ssh (thought no source for this). Sometimes in conjunction with SFTP. It’s also used in some remote desktop clients as far as I can see.