libssh Authentication Bypass Makes it Trivial to Pwn Rafts of Servers

The libssh open-source project has issued an update to address an authentication bypass vulnerability in the server code — to say that it’s trivial to exploit is an understatement.

The flaw (CVE-2018-10933) exists in libssh versions 0.6 and above being used in server mode – and it allows anyone to authenticate to a server without any credentials, simply by telling the system that they’re a legitimate user.

An attack can be carried out “by presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication,” the project said in an advisory on Tuesday.

The revelation sparked dismay among coders.

> Holy shit.
>
> I don’t know much about this protocol, but if I understand it correctly, you can just claim “yeah I’m logged in no need to verify” and it will work? Jesus Christ…
>
> — /dev/sam1 (@samvdkris) October 16, 2018

Some have called it the equivalent of a Jedi mind trick: Simply tell the system that things are fine, and it will think that things are fine – i.e., “These are not the droids you’re looking for.”

To put things in perspective, it should be noted that libssh is a multiplatform C library implementing the SSHv2 protocol, which is used by developers in a number of ways: It allows users to remotely execute programs, transfer files, use a secure and transparent tunnel, manage public keys and so on.

As such, a malicious exploit would allow an attacker to gain complete control over vulnerable servers to wreak havoc, such as installing rootkits, stealing encryption keys, intercepting file transfers and server requests, and dropping backdoors or other binaries.

In terms of how serious of a flaw this is by the numbers affected, the scope of the issue is unclear. A search on the Shodan search engine by Amit Serper, head of research at security company Cybereason, filtered the results by servers using the default SSH port. He took to Twitter showing that he uncovered 3,336 servers using vulnerable versions of the library.

Projects publicly stating that they use the libssh include KDE, which uses it to implement the sftp module to allow secure file transfers between different computers; and KDE X2Go, which uses the SSH library to secure the connection to a remote X desktop. But it’s not immediately clear if these implementations are affected.

The good news is that two major projects that may have people concerned aren’t subjected to the bug. GitHub, which uses libssh in production to power its git SSH infrastructure and serve millions of requests daily, is unaffected by the issue, according to its security team. They said via Twitter that GitHub uses a customized version on libssh with a different authentication method.

> We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for. Patches have been applied out of an abundance of caution, but GHE was never vulnerable to CVE-2018-10933.
>
> — GitHub Security (@GitHubSecurity) October 17, 2018

OpenSSH meanwhile doesn’t use libssh at all.

The flaw is fixed with libssh versions 0.8.4 or 0.7.6, which can be downloaded here. Developers using server-mode implementations should do a careful audit of their systems to uncover any vulnerable instances.