Severe vulnerability in libssh. Patch ur sh*t co-operators!


#1

Hey folks, thought I’d share this vulnerability here as I know many of you manage a lot of servers for yourselves and clients. The fix will landing in all the main distros soon :smile:

This is an important security and maintenance release in order to address CVE-2018-10933.

libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.

https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/

Track CVE-2018-10933 for your distro.


#2

Thanks for this @kawaiipunk - missed this entirely.


#3

I’ve been trying to work out (a) the potential impact of this, ie how it could be exploited and (b) which if any servers this effects… and I haven’t got very far, on (b), on our Debian Stretch servers we only have libssh2 installed:

aptitude search libssh | grep ^i
i  libssh2-1 - SSH2 client-side library

aptitude show libssh2-1 | egrep "Version|Homepage"
Version: 1.7.0-1
Homepage: http://libssh2.org/

And libssh2 appears to be a different project from libssh — so I don’t believe this is an issue? Has anyone else looked into this much?


#4

I heard that libssh is used on some specific deployments e.g. Github git over ssh (thought no source for this). Sometimes in conjunction with SFTP. It’s also used in some remote desktop clients as far as I can see.

Here is the package page as I understand it:
https://packages.debian.org/source/stretch/libssh

libssh2 isn’t affected.

I ran this on a Stretch box which should be showing all the Debian packages that depend on that package.

user@server ~> apt-cache rdepends libssh-4
libssh-4
Reverse Depends:
  tmate
  kodi-bin
  yafc
  xbmc-bin
  x2goplugin
  x2goclient
  remmina-plugin-nx
  remmina
  libssh-dev
 |libssh-dbg
  hydra
  libguac-client-ssh0
  gnugk

So again, perhaps a bit overblown. It is installed be default on all distros though so it must be used for some deployments.


#5

I’m with Chris on this, we mainly use Debian and Ubuntu and as such libssh2 is what we’ve got running, but we’ll be checking out other systems too.

Thanks for letting us a!l know about this.


#6

Fix is available in Debian now:
https://security-tracker.debian.org/tracker/CVE-2018-10933

Here’s some more info:

It’s fun to dig into these things a little deeper but never forget that the Twitter info sec community is a bit ridiculous.