Vendors confirm products affected by libssh bug as PoC code pops up on GitHub
Products from major vendors such as F5 and Red Hat are affected by a major vulnerability that came to light this week and which resides in the libssh library.
The vulnerability, which is tracked in infosec circles as CVE-2018-10933, is an authentication bypass in the libssh code that handles server-side login procedures.
Servers or software applications that use the libssh code to allow users to log into them via the SSH protocol are affected.
The vulnerability is trivial to exploit and requires an attacker sending an affected server an “SSH2_MSG_USERAUTH_SUCCESS” request to trick the server into thinking the user has already authenticated.
The libssh team disclosed the vulnerability on Tuesday, October 16, and initially, it wasn’t clear how many products were affected, mainly because OpenSSH is a more popular library that’s more regularly used for SSH authentication systems.
But throughout the week, some companies have stepped forward and published security advisories for products that use vulnerable versions of the libssh library. The first to go public was OS maker Red Hat.
“This vulnerability affects libssh shipped in Red Hat Enterprise Linux 7 Extras,” the company said in an advisory.
Red Hat plans to update the libssh library version to a new one that’s not affected. Apps running on Red Hat systems that relied on the OS’ libssh library to support incoming SSH connections will be updated once the update goes live, or they could manually update the library themselves.
Other products that have been confirmed to be affected by this bug are F5 Networks BIG-IP load balancers. These are servers that take incoming traffic and spread it across a larger set of servers based on bandwidth load. They are often found in data centers, ISPs, or enterprise networks.
Until patches are available, F5 Networks has advised administrators to log into their BIG-IP systems by manually typing their password during a keyboard-interactive login session, rather than using the more common “public key authentication” system, where the libssh flaw resides.
Cisco has not gone on the record to confirm that its products are affected, but the company has started an investigation into a long list of products that apparently also use libssh. ZDNet readers can consult the full list of products and follow updates on Cisco’s investigation via this security advisory.
At the time of writing, no vendor or cyber-security firm has come forward to confirm exploitation attempts that leverage this vulnerability. Nevertheless, it will not take long until actual hacks take place.
Over the course of the week, at least four proof-of-concept (PoC) scripts have been uploaded on GitHub [1, 2, 3, 4], along with a scanner that can allegedly find servers that rely on libssh for SSH authentication.
According to Leap Security, there are around 3,000 servers connected to the Internet that use the library, and roughly 1,800-1,900 of them use a vulnerable version of the libssh library.
“If you have servers present within your organization using libssh ensure they are all patched as soon as possible. This vulnerability is trending and easily exploited,” said Leap Security in a blog post this week.