Last week a vulnerability was disclosed regarding a ridiculously easy authentication bypass vulnerability in libssh. Since then, multiple tools and scripts have been released that allow attackers to remotely exploit this vulnerability in order to remotely execute commands on vulnerable devices.
This vulnerability has been assigned CVE-2018-10933 ID and is trivial to exploit as all you have to do is send the SSH2_MSG_USERAUTH_SUCCESS when libssh expects SSH2_MSG_USERAUTH_REQUEST. By doing this, the library will think you are successfully authenticated and allow you in.
While this vulnerability has been fixed in libssh versions 0.7.6 and 0.8.4, researchers have released scanners and scripts that make it simple to exploit the vulnerability and execute commands remotely for vulnerable versions.
Below we have listed the known advisories related to this vulnerability. This information will be updated as more advisories are released.
Arch Linux suggests that users upgrade to libssh version 0.8.4-1 using the command:
pacman -Syu "libssh>=0.8.4-1"
Cisco has stated in a security advisory that they are currently investigating what devices may be affected by this vulnerability.
"Cisco is investigating its product line to determine which products may be affected by this vulnerability. As the investigation progresses, Cisco will update this advisory with information about affected products."
Debian has announced that they released updated packages for libssh that resolve the vulnerability.
In a forum post to the Dell support forums, a Dell EMC Enterprise Support Services representative has stated that their products use libssh2 and are not affected.
According to an advisory and statement from F5 Networks:
"Turns out, F5 Networks products are not vulnerable whatsoever. The team had put out the security advisory to error on the side of caution and suggested mitigations while they looked into libssh, but it turns out that there is nothing to mitigate."
Red Hat has released an advisory stating that this vulnerability only affects libssh that was shipped in Red Hat Enterprise Linux 7 Extras. Otherwise, no other packages are affected by this vulnerability.
"This issue can only be affect applications that use libssh to implement an SSH server; SSH client functionality is not affected. No packages in Red Hat products use libssh to implement an SSH server. Therefore, no package from Red Hat that uses the libssh library is affected by this flaw.
The libssh library is available for customer or third party code to use. Such code that is linked against libssh and uses the ssh_bind* functions may be affected by this flaw".
SUSE has released an advisory showing that SUSE Linux Enterprise Desktop 12 SP3, SUSE Linux Enterprise Module for Basesystem 15, SUSE Linux Enterprise Software Development Kit 12 SP3, SUSE Linux Enterprise Workstation Extension 12 SP3, openSUSE Leap 15.0, and openSUSE Leap 42.3 are affected.
SUSE has listed the available updates that resolve this vulnerability.
Ubuntu has released an advisory stating that Ubuntu 18.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS are affected by this vulnerability. The advisory provides a list of available updates to resolve the vulnerability.
As new advisories are released, I will update this article to include. If you run into any advisories or bulletins, feel free to leave a comment and I will get them added as well.
After CVE-2018-10933 was disclosed, researchers immediately went to work creating working tools to exploit the vulnerability in libssh. Do to its simplicity, these tools were were quickly released that make it simple for anyone, and I mean anyone, to scan for and execute commands remotely on vulnerable devices.
For example, Leap Security has released a python script that can be used to scan for vulnerable devices.
Once those devices are found, numerous tools exist that allow you to exploit them to execute commands. One such script is explained below.
Hey Friends,— Kshitij Khakurdikar (@kshitij_c0mrade) October 20, 2018
I have written a python script which will exploit the latest libssh authentication bypass vulnerability (CVE-2018-10933)
Below is the link where you can find the script:https://t.co/yLLvgrDJLn
Fire up your terminals and shoot those devices…https://t.co/sUHl7etDbA
With an abundance of tools being made available, anyone using devices affected by this vulnerability should check for new security updates and install them immediately if available. Otherwise, your devices will quickly be recruited by bad actors in their campaign for world domination.