Exploits Published for LibSSH Vulnerability: Immediate Patching Required

A recently discovered LibSSH vulnerability, that has been described as ‘comically bad’ by the security researcher who discovered it, has been patched. The flaw is ridiculously easy to exploit. Unsurprisingly, various scripts and tools have been published that allow vulnerable devices to be found and the flaw to be exploited.

If the LibSSH vulnerability is exploited, which requires little skill even without one of the published scripts, it would allow an attacker to launch an attack and remotely execute code on a vulnerable system.

The LibSSH vulnerability, which would allow anyone to login to a vulnerable Linux/Unix server without having to provide a password, is as bad as it gets. The flaw was uncovered by Peter Winter-Smith of NCC Group, who discovered that authentication can be bypassed by sending a SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message. The server is expecting a SSH2_MSG_USERAUTH_REQUEST message but will assume that authentication has successfully taken place if the SSH2_MSG_USERAUTH_SUCCESS message is sent instead.

According to a recent security advisory published by LibSSH, “The SSH2_MSG_USERAUTH_SUCCESS handler is intended only for communication from the server to the client.”

The vulnerability is being tracked as CVE-2018-10933 and is present in LibSSH versions 0.6 and later. The flaw has been patched in versions 0.8.4 and 0.7.6.

Even though the flaw is trivial to exploit, it is even easier using the scripts that have been released. Leap Security has released a script that searches for vulnerable devices, and there are several available that will exploit the vulnerability and allow any code to be run with absolutely no skill required.

While the flaw is of high-severity, fortunately only a small number of devices are vulnerable. Anyone running a vulnerable version should patch immediately. Failure to patch will almost certainly see the device compromised.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news