Skip navigation
Libssh security vulnerability opens doors. Pixabay

SSH Authentication Bug Opens Door If You Say You're Logged-In

Due to a coding error, the libssh SSH authentication library would pass anyone who said they'd already successfully logged-in.

Another security vulnerability can be put in the "found and fixed" category. "Fixed," that is, if vulnerable servers apply the patch. The good news is that most servers aren't going to be affected, which narrows the problem down to mere thousands. It could have been much worse.

The problem was with libssh, the popular library for supporting the Secure Shell (SSH) authentication protocol, which due to a coding error would believe anyone who told it their login had already been authenticated and open the access door wide.

Technically speaking, the libssh SSH authentication process is usually started with the message "SSH2_MSG_USERAUTH_REQUEST", but if sent "SSH2_MSG_USERAUTH_SUCCESS" instead, the server would take this as all the proof it needed that the user had already successfully been authenticated.

The bug, officially CVE-2018-10933, was discovered by Peter Winter-Smith, a researcher at security firm NCC, who then reported it to libssh developers. The devs pushed out versions 0.8.4 and 0.7.6 to address the issue last Tuesday, as well as patches for older versions.

Only server installations need to be patched, as client installs are not vulnerable.

This could have had a nasty ending. The vulnerability had been present since the release of version 0.6.0, which was released in January 2014, but evidently escaped being discovered by the black hats. The potential scope of the exploit was reduced because most servers, IoT devices, and personal computers use the openssh library instead of libssh to implement SSH.

The latter does much to limit the scope of this exploit. According to Amit Serper, who is head of security research at Cybereason, the vulnerability affects a minimum of 3,000 servers (up to about 6,000), but those numbers are only a drop in the serverland bucket.

It could have also been much worse had GitHub, which uses libssh, been affected. Fortunately, GitHub has customized its implementation and doesn't use the SSH2_MSG_USERAUTH_SUCCESS message.

"Patches have been applied out of an abundance of caution," GitHub security said in a tweet, "but GHE was never vulnerable to CVE-2018-10933."

If they had been vulnerable, attackers could have gained access to its customers source code, which includes the code from some of the largest development houses in the world.


Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.