Emerging Threat: Authentication Bypass in libssh Leaves Servers Vulnerable

Description: A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4 (Source: MITRE, description last modified: 10/17/2018).

Notification of the vulnerability was made public by libssh on October 16, 2018. That notice can be found here: https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/ . It was originally discovered by Peter Winter-Smith of NCC Group.

First introduced in 2014 with the release of libssh version 0.6, this vulnerability is an authentication-bypass bug which makes it possible to log in to vulnerable servers by presenting a SSH2_MSG_USERAUTH_SUCCESS message rather than the expected SSH2_MSG_USERAUTH_REQUEST message. A malicious client could create channels without first performing authentication, resulting in unauthorized access.

Alert Logic customers can access additional information via this link: https://support.alertlogic.com/hc/en-us/articles/360018117252

Impact: Impact is expected to be limited to a relatively small number of servers. Only vulnerable versions of libssh running in server mode are vulnerable. The client mode is unaffected. In addition, this does not affect OpenSSH, Dropbear, libssh2, PuTTY, or the Github version.

After a complete check of the Alert Logic systems, we have determined that we are not impacted as we do not run the vulnerable version of libssh. In addition, the Alert Logic appliance is not vulnerable.

What is the nature of the threat? This vulnerability could be exploited to gain complete control over vulnerable servers enabling attackers to steal encryption keys and user data, install rootkits and erase logs that recorded the unauthorized access.

Who does this affect?: Only vulnerable versions of libssh running in server mode are vulnerable. The client mode is unaffected. In addition, this does not affect OpenSSH, Dropbear, libssh2, PuTTY, or the Github version.

Take action to protect yourself against this threat: It is not possible to mitigate this vulnerability, the only route to resolution is a patch - https://www.libssh.org/files/. Any user running a vulnerable version of libssh in server mode should conduct a thorough audit of their network immediately after applying the patch.