4-year-old LibSSH vulnerability allows attackers to take over servers

LibSSH vulnerability
A 4-year-old security vulnerability was detected in the Secure Shell SSH implementation library, which is also known as the LibsshH library, and it could enable direct access for hackers to take over servers without so much so entering a password.

The Function of Libssh and the origin of the vulnerability

Libssh is a multiplatform library of the C computer language which implements the SSHv2 protocol on both the sides of the client and server. The Libssh library also allows you to execute various programs remotely, manage public keys, transfer files across different platforms, use a secure and transparent tunnel for your applications, and much more.

The security vulnerability, which is called as the CVE-2018-10933 was discovered within LibSHH’s patch number 0.6 by Peter Winter-Smith from NCC Group to the people managing the Libssh library, that was initially released in 2014 and used by thousands of enterprise servers. The vulnerability indicated that all of those servers were susceptible to hackers for a better part of four years, which is catastrophic and borderline apocalyptic, to say the least.

The four-year-old bug in the Secure Shell application known as Libssh could have allowed anyone to gain autonomous administrative control of a vulnerable server or website that could be remotely controlled.
Despite such a security blunder and the fact that such coding error was easy to exploit, the vulnerability was not exploited, and the OpenSSH/Github’s implementation of LibsshH was not affected by the flaw.

The clarification by Libssh and the means to avoid the breach

A statement or a security advisory from LibSHH was released to the public, which also explained the ways to infiltrate the library and exploit the vulnerability. The method was that the attacker had to transfer an

SSH2_MSG_USERAUTH_SUCCESS message to a server that already had an SSH connection enabled on the network and send them a wrong signal to infiltrate the system when the SSH connection was due to expecting an SSH2_MSG-USERAUTH_REQUEST message.

If the hackers were to perform such a process, then due to the flaw within the LibSHH, the network would have skipped the authentication process altogether and validated the incoming infiltration message successfully.
Other than that, once the SSH2_MSG_USERAUTH_SUCCESS message is sent to the receiver server, there wouldn’t be any need of authenticating the signal as the server is designed to accept the authentication signal automatically and confirms it as successful, without knowing that the message was a dummy and the authentication was used to gain access to the server without a password by the attacker.

Although no news of any hacking or data attack was recorded, it was still speculated according to the Shodan search that approximately 6,500 web servers were noted to be vulnerable by the LibSHH’s new update causing the problem.
GitHub, which is an organization run by Microsoft, is used to provide the hosting for software development version control using Git, is also one of the employers of LibSHH. However, it was stated by them that the GitHub Enterprise was not affected by the flaw inside the new version of Libssh, which was mainly due to the way the company applies the library on its servers.

A clarification was posted with the following message on Twitter by one of GitHub’s security official stating that the company had not been impacted or vulnerable by the flaw:

“We use a custom version of Libssh; SSH2_MSG_USERAUTH_SUCCESS with LibsshH server is not relied upon for pubkey-based auth, which is what we use the library for. Patches have been applied out of an abundance of caution, but GHE was never vulnerable to CVE-2018-10933.”

Advice for the users of Libssh to deal with the vulnerability in their servers

The company behind the Libssh library has updated the Libssh versions to 0.8.4 and 0.7.6 and released the information and details on the vulnerability. It was up to the users of the library to upgrade to the latest version to avoid the fragility caused by the 0.6 version of Libssh in the future.

A full audit of the servers using Libssh should be conducted to deal with the vulnerability – Final Thoughts
Implementing a program is a big learning curve, and it is no surprise that some flaws remain even in the final draft of the application. However, due to the constant threat from hackers to infiltrate the servers online and use it for their gain in the form of eavesdropping, ransomware, and cryptocurrency mining. The same was the case with the vulnerability within

Libssh’s update number 0.6, as it was left unnoticed for a period of six years.

Despite the fact that no significant security breach was recorded, it is essential to avail the opportunity to update the library to the latest patch. Other than that, it is recommended that the users of such a patch have to perform a full audit of their servers and check every incoming connection of their servers for signs of any compromise.


About the author
Tomas Statkus
Tomas Statkus - Team leader

Tomas Statkus is an IT specialist, the team leader, and the founder of Reviewedbypro.com. He has worked in the IT area for over 10 years.

Contact Tomas Statkus
About the company Esolutions

The world’s leading VPN