THREAT HORIZION – LIBSSH AUTHENTICATION BYPASS VULNERABILITY
The following was circulated to our Managed Security Services customers on Friday 26th October 2018.
Executive Summary: Recently a new vulnerability was disclosed regarding an authentication bypass vulnerability in libssh. Since then, multiple tools and scripts have been released that allow attackers to remotely exploit this vulnerability in order to remotely execute commands on vulnerable devices.
libssh is a multiplatform C library implementing the SSHv2 protocol on client and server side. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel and manage public keys. Currently, this Vulnerability has not been exploited in the wild however analysis of the proof of concept shows that leveraging this vulnerability is straight forward as well as being available at this time.
This vulnerability has affected multiple product lines including Cisco, Unbuntu, Red Hat Linux and F5 Networks however no other applications or Vendors appear to have advisories released at this time.
NIST has this vulnerability down as CVE-2018-10933.
Detect: The vulnerability is due to improper authentication operations by the server-side state machine of the affected software. An attacker could exploit this vulnerability by presenting a SSH2_MSG_USERAUTH_SUCCESS message to a targeted system.
A successful exploit could allow the attacker to bypass authentication and gain unauthorized access to a targeted system. Please note that libssh versions 0.8.4 and 0.7.6 are not affected by this vulnerability.
Proof of concept scripts have been created and tested, along with a scanner that can apparently find servers that rely on libssh for SSH authentication.
Currently there are around 3,000 servers connected to the Internet that use the library, and roughly 1,800-1,900 of them use a vulnerable version of the libssh library.
Affected Products: The following software versions or editions are affected. Cisco has advised they are still currently investigating however the following products should be considered vulnerable.
1. Network and Content Security Devices
2. Cisco Content Security Management Appliance (SMA)
3. Video, Streaming, TelePresence, and Transcoding Devices
4. Cisco Cloud Object Storage
5. Cisco Cloud Hosted Services
6. Cisco Smart Software Manager Satellite
Red Hat has released an advisory stating that this vulnerability only affects libssh that was shipped in Red Hat Enterprise Linux 7 Extras. Otherwise, no other packages are affected by this vulnerability.
Ubuntu has released an advisory stating that Ubuntu 18.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS are affected by this vulnerability. The advisory provides a list of available updates to resolve the vulnerability.
According to an advisory from F5 Networks, their BIG-IP (AFM) products running versions 12.1.0 – 12.1.3, 13.0.0 – 13.1.1, and 14.0.0 are vulnerable in the SSH Proxy component.
Debian Linux has advised this problem has been fixed in version 0.7.3-2+deb9u1
Prevent: Apply vendor provided patches and ensure latest security updates are up to standard. Product specific patches are being investigated by their respective vendors and will be released in due course.
React: At the time of writing, no vendor or cyber-security firm has come forward to confirm exploitation attempts that leverage this vulnerability. Nevertheless, it will not take long until actual hacks take place.
We would recommend if you have servers present within your organization using ‘libssh’ ensure they are all patched as soon as possible. This vulnerability is trending and easily exploited.