CVE-2018-10933 - Bypass SSH Authentication - libssh vulnerability

Clash Royale CLAN TAG#URR8PPP

up vote
7
down vote

favorite

Looks like CVE-2018-10933 was just released today and you can find a summary here from libssh here

Summary:

libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.

I am trying to understand this more and its range of impact. Do Operating Systems like Debian, Ubunutu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack? Also, does OpenSSH rely on libssh or are they two separate implementations? I tried looking for openssh v.s. libssh but couldn't find what I was looking for. This vulnerability sounds like the worst case scenario for SSH so I am just surprised it hasn't been making headlines or blowing up. The summary of this vuln is vague so I'm looking for any insight into the range of impact and in what scenarios I should be worried.

Thanks

authentication ssh vulnerability

share|improve this question

asked 2 hours ago

User0813484

361

New contributor

User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
7
down vote

favorite

Looks like CVE-2018-10933 was just released today and you can find a summary here from libssh here

Summary:

libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.

I am trying to understand this more and its range of impact. Do Operating Systems like Debian, Ubunutu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack? Also, does OpenSSH rely on libssh or are they two separate implementations? I tried looking for openssh v.s. libssh but couldn't find what I was looking for. This vulnerability sounds like the worst case scenario for SSH so I am just surprised it hasn't been making headlines or blowing up. The summary of this vuln is vague so I'm looking for any insight into the range of impact and in what scenarios I should be worried.

Thanks

authentication ssh vulnerability

share|improve this question

asked 2 hours ago

User0813484

361

New contributor

User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
7
down vote

favorite

up vote
7
down vote

favorite

Looks like CVE-2018-10933 was just released today and you can find a summary here from libssh here

Summary:

libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.

I am trying to understand this more and its range of impact. Do Operating Systems like Debian, Ubunutu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack? Also, does OpenSSH rely on libssh or are they two separate implementations? I tried looking for openssh v.s. libssh but couldn't find what I was looking for. This vulnerability sounds like the worst case scenario for SSH so I am just surprised it hasn't been making headlines or blowing up. The summary of this vuln is vague so I'm looking for any insight into the range of impact and in what scenarios I should be worried.

Thanks

authentication ssh vulnerability

share|improve this question

asked 2 hours ago

User0813484

361

New contributor

User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Looks like CVE-2018-10933 was just released today and you can find a summary here from libssh here

Summary:

libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.

I am trying to understand this more and its range of impact. Do Operating Systems like Debian, Ubunutu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack? Also, does OpenSSH rely on libssh or are they two separate implementations? I tried looking for openssh v.s. libssh but couldn't find what I was looking for. This vulnerability sounds like the worst case scenario for SSH so I am just surprised it hasn't been making headlines or blowing up. The summary of this vuln is vague so I'm looking for any insight into the range of impact and in what scenarios I should be worried.

Thanks

authentication ssh vulnerability

authentication ssh vulnerability

share|improve this question

asked 2 hours ago

User0813484

361

New contributor

User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 2 hours ago

User0813484

361

New contributor

User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

share|improve this question

asked 2 hours ago

User0813484

361

New contributor

User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 2 hours ago

User0813484

361

asked 2 hours ago

User0813484

361

361

New contributor

User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

up vote
5
down vote

... does OpenSSH rely on libssh

OpenSSH does not rely on libssh.

I tried looking for openssh v.s. libssh ...

Actually, a search for openssh libssh gives me as first hit: OpenSSH/Development which includes for libssh the following statement : "... libssh is an independent project ..."

Also, if OpenSSH would be affected you can sure that you would find such information at the official site for OpenSSH, which has explicitly a page about OpenSSH Security.

Do Operating Systems like Debian, Ubunutu rely on libssh for SSH ...

See the official documentation of libssh on who is using it (at least): KDE, GitHub...

You can also check which packages on your own OS use libssh, i.e. for Debian and similar (i.e. Ubuntu) this would be apt rdepends libssh-4. Note that this only shows dependencies and might show packages which are not installed on your system.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

Steffen Ullrich

108k12185252

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
  – AndrolGenhald
  2 hours ago
  

  
  
  
  

add a comment | 

up vote
-1
down vote

Do Operating Systems like Debian, Ubuntu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack?

The issues may arise with applications that use libssh. As stated on the libssh website: "libssh is a C library that enables you to write a program that uses the SSH protocol." Thus, it is user applications that make use of the libssh library that could be vulnerable, not the operating system itself. Here are some applications that use libssh (from the libssh website):

• KDE uses libssh for the sftp file transfers


• GitHub implemented their git ssh server with libssh


• X2Go is a Remote Desktop solution for Linux

Also, does OpenSSH rely on libssh or are they two separate implementations?

As stated here on the OpenSSH website: "OpenSSH relies on the LibreSSL library for some of it's routines..." I.e., OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

hft

1,197617

• 
  
  
  

  
  

  
  
  
  
  
  

  
  The libcrypto part?
  – hft
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, only the libcrypto part.
  – Steffen Ullrich
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  "OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
  – Steffen Ullrich
  1 hour ago
  
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

User0813484 is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195834%2fcve-2018-10933-bypass-ssh-authentication-libssh-vulnerability%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
5
down vote

... does OpenSSH rely on libssh

OpenSSH does not rely on libssh.

I tried looking for openssh v.s. libssh ...

Actually, a search for openssh libssh gives me as first hit: OpenSSH/Development which includes for libssh the following statement : "... libssh is an independent project ..."

Also, if OpenSSH would be affected you can sure that you would find such information at the official site for OpenSSH, which has explicitly a page about OpenSSH Security.

Do Operating Systems like Debian, Ubunutu rely on libssh for SSH ...

See the official documentation of libssh on who is using it (at least): KDE, GitHub...

You can also check which packages on your own OS use libssh, i.e. for Debian and similar (i.e. Ubuntu) this would be apt rdepends libssh-4. Note that this only shows dependencies and might show packages which are not installed on your system.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

Steffen Ullrich

108k12185252

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
  – AndrolGenhald
  2 hours ago
  

  
  
  
  

add a comment | 

up vote
5
down vote

... does OpenSSH rely on libssh

OpenSSH does not rely on libssh.

I tried looking for openssh v.s. libssh ...

Actually, a search for openssh libssh gives me as first hit: OpenSSH/Development which includes for libssh the following statement : "... libssh is an independent project ..."

Also, if OpenSSH would be affected you can sure that you would find such information at the official site for OpenSSH, which has explicitly a page about OpenSSH Security.

Do Operating Systems like Debian, Ubunutu rely on libssh for SSH ...

See the official documentation of libssh on who is using it (at least): KDE, GitHub...

You can also check which packages on your own OS use libssh, i.e. for Debian and similar (i.e. Ubuntu) this would be apt rdepends libssh-4. Note that this only shows dependencies and might show packages which are not installed on your system.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

Steffen Ullrich

108k12185252

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
  – AndrolGenhald
  2 hours ago
  

  
  
  
  

add a comment | 

up vote
5
down vote

up vote
5
down vote

... does OpenSSH rely on libssh

OpenSSH does not rely on libssh.

I tried looking for openssh v.s. libssh ...

Actually, a search for openssh libssh gives me as first hit: OpenSSH/Development which includes for libssh the following statement : "... libssh is an independent project ..."

Also, if OpenSSH would be affected you can sure that you would find such information at the official site for OpenSSH, which has explicitly a page about OpenSSH Security.

Do Operating Systems like Debian, Ubunutu rely on libssh for SSH ...

See the official documentation of libssh on who is using it (at least): KDE, GitHub...

You can also check which packages on your own OS use libssh, i.e. for Debian and similar (i.e. Ubuntu) this would be apt rdepends libssh-4. Note that this only shows dependencies and might show packages which are not installed on your system.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

Steffen Ullrich

108k12185252

... does OpenSSH rely on libssh

OpenSSH does not rely on libssh.

I tried looking for openssh v.s. libssh ...

Actually, a search for openssh libssh gives me as first hit: OpenSSH/Development which includes for libssh the following statement : "... libssh is an independent project ..."

Also, if OpenSSH would be affected you can sure that you would find such information at the official site for OpenSSH, which has explicitly a page about OpenSSH Security.

Do Operating Systems like Debian, Ubunutu rely on libssh for SSH ...

See the official documentation of libssh on who is using it (at least): KDE, GitHub...

You can also check which packages on your own OS use libssh, i.e. for Debian and similar (i.e. Ubuntu) this would be apt rdepends libssh-4. Note that this only shows dependencies and might show packages which are not installed on your system.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

Steffen Ullrich

108k12185252

share|improve this answer

share|improve this answer

edited 2 hours ago

edited 2 hours ago

edited 2 hours ago

answered 2 hours ago

Steffen Ullrich

108k12185252

answered 2 hours ago

Steffen Ullrich

108k12185252

answered 2 hours ago

Steffen Ullrich

108k12185252

108k12185252

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
  – AndrolGenhald
  2 hours ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
  – AndrolGenhald
  2 hours ago
  

  
  
  
  

Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
– AndrolGenhald
2 hours ago

Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
– AndrolGenhald
2 hours ago

add a comment | 

up vote
-1
down vote

Do Operating Systems like Debian, Ubuntu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack?

The issues may arise with applications that use libssh. As stated on the libssh website: "libssh is a C library that enables you to write a program that uses the SSH protocol." Thus, it is user applications that make use of the libssh library that could be vulnerable, not the operating system itself. Here are some applications that use libssh (from the libssh website):

• KDE uses libssh for the sftp file transfers


• GitHub implemented their git ssh server with libssh


• X2Go is a Remote Desktop solution for Linux

Also, does OpenSSH rely on libssh or are they two separate implementations?

As stated here on the OpenSSH website: "OpenSSH relies on the LibreSSL library for some of it's routines..." I.e., OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

hft

1,197617

• 
  
  
  

  
  

  
  
  
  
  
  

  
  The libcrypto part?
  – hft
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, only the libcrypto part.
  – Steffen Ullrich
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  "OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
  – Steffen Ullrich
  1 hour ago
  
  

  
  
  
  

add a comment | 

up vote
-1
down vote

Do Operating Systems like Debian, Ubuntu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack?

The issues may arise with applications that use libssh. As stated on the libssh website: "libssh is a C library that enables you to write a program that uses the SSH protocol." Thus, it is user applications that make use of the libssh library that could be vulnerable, not the operating system itself. Here are some applications that use libssh (from the libssh website):

• KDE uses libssh for the sftp file transfers


• GitHub implemented their git ssh server with libssh


• X2Go is a Remote Desktop solution for Linux

Also, does OpenSSH rely on libssh or are they two separate implementations?

As stated here on the OpenSSH website: "OpenSSH relies on the LibreSSL library for some of it's routines..." I.e., OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

hft

1,197617

• 
  
  
  

  
  

  
  
  
  
  
  

  
  The libcrypto part?
  – hft
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, only the libcrypto part.
  – Steffen Ullrich
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  "OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
  – Steffen Ullrich
  1 hour ago
  
  

  
  
  
  

add a comment | 

up vote
-1
down vote

up vote
-1
down vote

Do Operating Systems like Debian, Ubuntu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack?

The issues may arise with applications that use libssh. As stated on the libssh website: "libssh is a C library that enables you to write a program that uses the SSH protocol." Thus, it is user applications that make use of the libssh library that could be vulnerable, not the operating system itself. Here are some applications that use libssh (from the libssh website):

• KDE uses libssh for the sftp file transfers


• GitHub implemented their git ssh server with libssh


• X2Go is a Remote Desktop solution for Linux

Also, does OpenSSH rely on libssh or are they two separate implementations?

As stated here on the OpenSSH website: "OpenSSH relies on the LibreSSL library for some of it's routines..." I.e., OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

hft

1,197617

Do Operating Systems like Debian, Ubuntu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack?

The issues may arise with applications that use libssh. As stated on the libssh website: "libssh is a C library that enables you to write a program that uses the SSH protocol." Thus, it is user applications that make use of the libssh library that could be vulnerable, not the operating system itself. Here are some applications that use libssh (from the libssh website):

• KDE uses libssh for the sftp file transfers


• GitHub implemented their git ssh server with libssh


• X2Go is a Remote Desktop solution for Linux

Also, does OpenSSH rely on libssh or are they two separate implementations?

As stated here on the OpenSSH website: "OpenSSH relies on the LibreSSL library for some of it's routines..." I.e., OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

hft

1,197617

share|improve this answer

share|improve this answer

edited 2 hours ago

edited 2 hours ago

edited 2 hours ago

answered 2 hours ago

hft

1,197617

answered 2 hours ago

hft

1,197617

answered 2 hours ago

hft

1,197617

1,197617

• 
  
  
  

  
  

  
  
  
  
  
  

  
  The libcrypto part?
  – hft
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, only the libcrypto part.
  – Steffen Ullrich
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  "OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
  – Steffen Ullrich
  1 hour ago
  
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  The libcrypto part?
  – hft
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, only the libcrypto part.
  – Steffen Ullrich
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  "OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
  – Steffen Ullrich
  1 hour ago
  
  

  
  
  
  

The libcrypto part?
– hft
2 hours ago

The libcrypto part?
– hft
2 hours ago

Yes, only the libcrypto part.
– Steffen Ullrich
2 hours ago

Yes, only the libcrypto part.
– Steffen Ullrich
2 hours ago

"OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
– Steffen Ullrich
1 hour ago

"OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
– Steffen Ullrich
1 hour ago

add a comment | 

User0813484 is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

User0813484 is a new contributor. Be nice, and check out our Code of Conduct.

User0813484 is a new contributor. Be nice, and check out our Code of Conduct.

User0813484 is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195834%2fcve-2018-10933-bypass-ssh-authentication-libssh-vulnerability%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email