CVE-2018-10933 - Bypass SSH Authentication - libssh vulnerability

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
7
down vote

favorite












Looks like CVE-2018-10933 was just released today and you can find a summary here from libssh here



Summary:




libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.




I am trying to understand this more and its range of impact. Do Operating Systems like Debian, Ubunutu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack? Also, does OpenSSH rely on libssh or are they two separate implementations? I tried looking for openssh v.s. libssh but couldn't find what I was looking for. This vulnerability sounds like the worst case scenario for SSH so I am just surprised it hasn't been making headlines or blowing up. The summary of this vuln is vague so I'm looking for any insight into the range of impact and in what scenarios I should be worried.



Thanks










share|improve this question







New contributor




User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    up vote
    7
    down vote

    favorite












    Looks like CVE-2018-10933 was just released today and you can find a summary here from libssh here



    Summary:




    libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.




    I am trying to understand this more and its range of impact. Do Operating Systems like Debian, Ubunutu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack? Also, does OpenSSH rely on libssh or are they two separate implementations? I tried looking for openssh v.s. libssh but couldn't find what I was looking for. This vulnerability sounds like the worst case scenario for SSH so I am just surprised it hasn't been making headlines or blowing up. The summary of this vuln is vague so I'm looking for any insight into the range of impact and in what scenarios I should be worried.



    Thanks










    share|improve this question







    New contributor




    User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      7
      down vote

      favorite









      up vote
      7
      down vote

      favorite











      Looks like CVE-2018-10933 was just released today and you can find a summary here from libssh here



      Summary:




      libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.




      I am trying to understand this more and its range of impact. Do Operating Systems like Debian, Ubunutu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack? Also, does OpenSSH rely on libssh or are they two separate implementations? I tried looking for openssh v.s. libssh but couldn't find what I was looking for. This vulnerability sounds like the worst case scenario for SSH so I am just surprised it hasn't been making headlines or blowing up. The summary of this vuln is vague so I'm looking for any insight into the range of impact and in what scenarios I should be worried.



      Thanks










      share|improve this question







      New contributor




      User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      Looks like CVE-2018-10933 was just released today and you can find a summary here from libssh here



      Summary:




      libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.




      I am trying to understand this more and its range of impact. Do Operating Systems like Debian, Ubunutu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack? Also, does OpenSSH rely on libssh or are they two separate implementations? I tried looking for openssh v.s. libssh but couldn't find what I was looking for. This vulnerability sounds like the worst case scenario for SSH so I am just surprised it hasn't been making headlines or blowing up. The summary of this vuln is vague so I'm looking for any insight into the range of impact and in what scenarios I should be worried.



      Thanks







      authentication ssh vulnerability






      share|improve this question







      New contributor




      User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 2 hours ago









      User0813484

      361




      361




      New contributor




      User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      User0813484 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          5
          down vote














          ... does OpenSSH rely on libssh




          OpenSSH does not rely on libssh.




          I tried looking for openssh v.s. libssh ...




          Actually, a search for openssh libssh gives me as first hit: OpenSSH/Development which includes for libssh the following statement : "... libssh is an independent project ..."



          Also, if OpenSSH would be affected you can sure that you would find such information at the official site for OpenSSH, which has explicitly a page about OpenSSH Security.




          Do Operating Systems like Debian, Ubunutu rely on libssh for SSH ...




          See the official documentation of libssh on who is using it (at least): KDE, GitHub...

          You can also check which packages on your own OS use libssh, i.e. for Debian and similar (i.e. Ubuntu) this would be apt rdepends libssh-4. Note that this only shows dependencies and might show packages which are not installed on your system.






          share|improve this answer






















          • Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
            – AndrolGenhald
            2 hours ago

















          up vote
          -1
          down vote














          Do Operating Systems like Debian, Ubuntu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack?




          The issues may arise with applications that use libssh. As stated on the libssh website: "libssh is a C library that enables you to write a program that uses the SSH protocol." Thus, it is user applications that make use of the libssh library that could be vulnerable, not the operating system itself. Here are some applications that use libssh (from the libssh website):



          • KDE uses libssh for the sftp file transfers

          • GitHub implemented their git ssh server with libssh

          • X2Go is a Remote Desktop solution for Linux


          Also, does OpenSSH rely on libssh or are they two separate implementations?




          As stated here on the OpenSSH website: "OpenSSH relies on the LibreSSL library for some of it's routines..." I.e., OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh.






          share|improve this answer






















          • The libcrypto part?
            – hft
            2 hours ago










          • Yes, only the libcrypto part.
            – Steffen Ullrich
            2 hours ago










          • "OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
            – Steffen Ullrich
            1 hour ago











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "162"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );






          User0813484 is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195834%2fcve-2018-10933-bypass-ssh-authentication-libssh-vulnerability%23new-answer', 'question_page');

          );

          Post as a guest






























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          5
          down vote














          ... does OpenSSH rely on libssh




          OpenSSH does not rely on libssh.




          I tried looking for openssh v.s. libssh ...




          Actually, a search for openssh libssh gives me as first hit: OpenSSH/Development which includes for libssh the following statement : "... libssh is an independent project ..."



          Also, if OpenSSH would be affected you can sure that you would find such information at the official site for OpenSSH, which has explicitly a page about OpenSSH Security.




          Do Operating Systems like Debian, Ubunutu rely on libssh for SSH ...




          See the official documentation of libssh on who is using it (at least): KDE, GitHub...

          You can also check which packages on your own OS use libssh, i.e. for Debian and similar (i.e. Ubuntu) this would be apt rdepends libssh-4. Note that this only shows dependencies and might show packages which are not installed on your system.






          share|improve this answer






















          • Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
            – AndrolGenhald
            2 hours ago














          up vote
          5
          down vote














          ... does OpenSSH rely on libssh




          OpenSSH does not rely on libssh.




          I tried looking for openssh v.s. libssh ...




          Actually, a search for openssh libssh gives me as first hit: OpenSSH/Development which includes for libssh the following statement : "... libssh is an independent project ..."



          Also, if OpenSSH would be affected you can sure that you would find such information at the official site for OpenSSH, which has explicitly a page about OpenSSH Security.




          Do Operating Systems like Debian, Ubunutu rely on libssh for SSH ...




          See the official documentation of libssh on who is using it (at least): KDE, GitHub...

          You can also check which packages on your own OS use libssh, i.e. for Debian and similar (i.e. Ubuntu) this would be apt rdepends libssh-4. Note that this only shows dependencies and might show packages which are not installed on your system.






          share|improve this answer






















          • Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
            – AndrolGenhald
            2 hours ago












          up vote
          5
          down vote










          up vote
          5
          down vote










          ... does OpenSSH rely on libssh




          OpenSSH does not rely on libssh.




          I tried looking for openssh v.s. libssh ...




          Actually, a search for openssh libssh gives me as first hit: OpenSSH/Development which includes for libssh the following statement : "... libssh is an independent project ..."



          Also, if OpenSSH would be affected you can sure that you would find such information at the official site for OpenSSH, which has explicitly a page about OpenSSH Security.




          Do Operating Systems like Debian, Ubunutu rely on libssh for SSH ...




          See the official documentation of libssh on who is using it (at least): KDE, GitHub...

          You can also check which packages on your own OS use libssh, i.e. for Debian and similar (i.e. Ubuntu) this would be apt rdepends libssh-4. Note that this only shows dependencies and might show packages which are not installed on your system.






          share|improve this answer















          ... does OpenSSH rely on libssh




          OpenSSH does not rely on libssh.




          I tried looking for openssh v.s. libssh ...




          Actually, a search for openssh libssh gives me as first hit: OpenSSH/Development which includes for libssh the following statement : "... libssh is an independent project ..."



          Also, if OpenSSH would be affected you can sure that you would find such information at the official site for OpenSSH, which has explicitly a page about OpenSSH Security.




          Do Operating Systems like Debian, Ubunutu rely on libssh for SSH ...




          See the official documentation of libssh on who is using it (at least): KDE, GitHub...

          You can also check which packages on your own OS use libssh, i.e. for Debian and similar (i.e. Ubuntu) this would be apt rdepends libssh-4. Note that this only shows dependencies and might show packages which are not installed on your system.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 2 hours ago

























          answered 2 hours ago









          Steffen Ullrich

          108k12185252




          108k12185252











          • Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
            – AndrolGenhald
            2 hours ago
















          • Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
            – AndrolGenhald
            2 hours ago















          Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
          – AndrolGenhald
          2 hours ago




          Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
          – AndrolGenhald
          2 hours ago












          up vote
          -1
          down vote














          Do Operating Systems like Debian, Ubuntu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack?




          The issues may arise with applications that use libssh. As stated on the libssh website: "libssh is a C library that enables you to write a program that uses the SSH protocol." Thus, it is user applications that make use of the libssh library that could be vulnerable, not the operating system itself. Here are some applications that use libssh (from the libssh website):



          • KDE uses libssh for the sftp file transfers

          • GitHub implemented their git ssh server with libssh

          • X2Go is a Remote Desktop solution for Linux


          Also, does OpenSSH rely on libssh or are they two separate implementations?




          As stated here on the OpenSSH website: "OpenSSH relies on the LibreSSL library for some of it's routines..." I.e., OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh.






          share|improve this answer






















          • The libcrypto part?
            – hft
            2 hours ago










          • Yes, only the libcrypto part.
            – Steffen Ullrich
            2 hours ago










          • "OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
            – Steffen Ullrich
            1 hour ago















          up vote
          -1
          down vote














          Do Operating Systems like Debian, Ubuntu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack?




          The issues may arise with applications that use libssh. As stated on the libssh website: "libssh is a C library that enables you to write a program that uses the SSH protocol." Thus, it is user applications that make use of the libssh library that could be vulnerable, not the operating system itself. Here are some applications that use libssh (from the libssh website):



          • KDE uses libssh for the sftp file transfers

          • GitHub implemented their git ssh server with libssh

          • X2Go is a Remote Desktop solution for Linux


          Also, does OpenSSH rely on libssh or are they two separate implementations?




          As stated here on the OpenSSH website: "OpenSSH relies on the LibreSSL library for some of it's routines..." I.e., OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh.






          share|improve this answer






















          • The libcrypto part?
            – hft
            2 hours ago










          • Yes, only the libcrypto part.
            – Steffen Ullrich
            2 hours ago










          • "OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
            – Steffen Ullrich
            1 hour ago













          up vote
          -1
          down vote










          up vote
          -1
          down vote










          Do Operating Systems like Debian, Ubuntu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack?




          The issues may arise with applications that use libssh. As stated on the libssh website: "libssh is a C library that enables you to write a program that uses the SSH protocol." Thus, it is user applications that make use of the libssh library that could be vulnerable, not the operating system itself. Here are some applications that use libssh (from the libssh website):



          • KDE uses libssh for the sftp file transfers

          • GitHub implemented their git ssh server with libssh

          • X2Go is a Remote Desktop solution for Linux


          Also, does OpenSSH rely on libssh or are they two separate implementations?




          As stated here on the OpenSSH website: "OpenSSH relies on the LibreSSL library for some of it's routines..." I.e., OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh.






          share|improve this answer















          Do Operating Systems like Debian, Ubuntu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack?




          The issues may arise with applications that use libssh. As stated on the libssh website: "libssh is a C library that enables you to write a program that uses the SSH protocol." Thus, it is user applications that make use of the libssh library that could be vulnerable, not the operating system itself. Here are some applications that use libssh (from the libssh website):



          • KDE uses libssh for the sftp file transfers

          • GitHub implemented their git ssh server with libssh

          • X2Go is a Remote Desktop solution for Linux


          Also, does OpenSSH rely on libssh or are they two separate implementations?




          As stated here on the OpenSSH website: "OpenSSH relies on the LibreSSL library for some of it's routines..." I.e., OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 2 hours ago

























          answered 2 hours ago









          hft

          1,197617




          1,197617











          • The libcrypto part?
            – hft
            2 hours ago










          • Yes, only the libcrypto part.
            – Steffen Ullrich
            2 hours ago










          • "OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
            – Steffen Ullrich
            1 hour ago

















          • The libcrypto part?
            – hft
            2 hours ago










          • Yes, only the libcrypto part.
            – Steffen Ullrich
            2 hours ago










          • "OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
            – Steffen Ullrich
            1 hour ago
















          The libcrypto part?
          – hft
          2 hours ago




          The libcrypto part?
          – hft
          2 hours ago












          Yes, only the libcrypto part.
          – Steffen Ullrich
          2 hours ago




          Yes, only the libcrypto part.
          – Steffen Ullrich
          2 hours ago












          "OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
          – Steffen Ullrich
          1 hour ago





          "OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
          – Steffen Ullrich
          1 hour ago











          User0813484 is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          User0813484 is a new contributor. Be nice, and check out our Code of Conduct.












          User0813484 is a new contributor. Be nice, and check out our Code of Conduct.











          User0813484 is a new contributor. Be nice, and check out our Code of Conduct.













           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195834%2fcve-2018-10933-bypass-ssh-authentication-libssh-vulnerability%23new-answer', 'question_page');

          );

          Post as a guest













































































          Comments

          Popular posts from this blog

          What does second last employer means? [closed]

          Installing NextGIS Connect into QGIS 3?

          One-line joke