libssh Authentication Bypass CVE-2018-10933

The Vulnerability A vulnerability present in libssh versions 0.6 and later has taken the internet by storm. The vulnerability allows attackers to bypass authentication and gain remote code execution on the affected system. The libssh team has already released a patch to this vulnerability (link below). Upgrading to 0.7.6 or 0.8.4 eliminates the vulnerability. Link:…

Posted by: Leap Security

The Vulnerability

A vulnerability present in libssh versions 0.6 and later has taken the internet by storm. The vulnerability allows attackers to bypass authentication and gain remote code execution on the affected system. The libssh team has already released a patch to this vulnerability (link below). Upgrading to 0.7.6 or 0.8.4 eliminates the vulnerability.

Link: libssh patch
Link: libssh patch notes

While a lot of systems use SSH not all implementations vulnerable. Both Dropbear and OpenSSH, the most common have their own implementation of libssh and are not vulnerable.

With that said, the vulnerability still affects ~3,000 servers. Using shodan.io with the port:22 libssh filter allows one to quickly see the impact of the vulnerability.

Shodan reports Verizon Wireless and Sprint PCS running the most libssh present on the internet right now.

top organizations running libssh

And would you look at that — the most common version of libssh is 0.6.0 with over 1,200 systems running it. Ouch!

top libssh versions

Technical Details

To exploit the vulnerability, an attacker must present the server with SSH2_MSG_USERAUTH_SUCCESS message instead of the SSH2_MSG_USERAUTH_REQUEST message the server expects. This would allow the attacker to bypass authentication and gain remote code execution on the affected server.

Public exploits and proof of concepts (most requiring code modifications) have been released and are being used in the wild.

Tool Release

Link: libssh scanner tool

We’ve released libssh scanner, a python based tool to identify vulnerable versions of libssh. The tool has two modes: passive (default) which determines if systems are vulnerable by banner grabbing and aggressive mode which attempts to leverage the vulnerability and bypass authentication in attempts to identify vulnerable systems.

Example

./libsshscan 127.0.0.1

The example code above will use passive mode (i.e., banner grab) targeting the SSH service running on 127.0.0.1 in attempts to identify if the host is vulnerable.

./libsshscan -a 127.0.0.1 -p 2222

The example code above will use aggressive mode targeting the SSH service running on 127.0.0.1:2222 to identify if the host is vulnerable.

Conclusion

Although not present in every installation of SSH, CVE-2018-10933 is still wide spread and easy to exploit. With public exploits and scripts emerging on the internet it is important to take this seriously as it is a remote code execution vulnerability and patch your affected system(s) as soon as possible.