4-year-old LibSSH vulnerability allows attackers to take over servers

by Tomas Statkus - -

A security vulnerability detected in the Secure Shell SSH implementation library, also known as LibSSH[1] could allow hackers to take over servers without a password.

LibSSH vulnerability

The LibSSH vulnerability can be tracked as CVE-2018-10933

The security vulnerability which was named as CVE-2018-10933 was discovered in LibSHH version 0.6, which was released in 2014. Which means that thousands of enterprise servers have been vulnerable to hackers for the last four years.[2]

Even though the flaw resides because of the coding error and is easy to exploit. However, it is worth to mention that the vulnerability has not been exploited and the OpenSSH or Github’s implementation of LibSSH has not been affected by the flaw.

LibSHH has released a security advisory and noted that in order to exploit the vulnerability, the attacker has to transfer an SSH2_MSG_USERAUTH_SUCCESS message to a server that has an SSH connection enabled when it expects an SSH2_MSG-USERAUTH_REQUEST message.

Because of the flaw in LibSHH, it cannot to validate the incoming successful login packet and skips the authentication process. In addition, if the hacker sends the SSH2_MSG_USERAUTH_SUCCESS response to LibSSH, the server automatically accepts the authentication and confirms it as successful. As a result, the attacker gains access to the server without a password.

GitHub employs LibSHH but it also mentions that the GitHub Enterprise has not been affected by the flaw due to the way GitHub applies the LibSSH.

GitHub security official has posted on Twitter that the company has not been impacted or vulnerable by the flaw.[3]

We use a custom version of LibSSH; SSH2_MSG_USERAUTH_SUCCESS with LibSSH server is not relied upon for pubkey-based auth, which is what we use the library for.  Patches have been applied out of an abundance of caution, but GHE was never vulnerable to CVE-2018-10933.

However, according to the Shodan search, approximately 6,500 web servers might be affected by the LibSHH vulnerability one way or another.

The vulnerability has been discovered by NCC Group. Peter Winter-Smith a security expert at NCC Group has disclosed the issue and reported it to LibSSH.

The company has updated the LibSSH versions 0.8.4 and 0.7.6 and released the information and details on the vulnerability.

Users are recommended to update their LibSSH ASAP

Users that are using the LibSSH on their websites and using the server component are advised to install the updated and patched versions of LibSSH as soon as possible.

About the author

Tomas Statkus
Tomas Statkus - Team leader

Tomas Statkus is an IT specialist, the team leader, and the founder of Reviewedbypro.com. He has worked in the IT area for over 10 years.

Contact Tomas Statkus
About the company Esolutions


Your opinion regarding 4-year-old LibSSH vulnerability allows attackers to take over servers

now online
Like us on Facebook