Newly released versions of the libssh library fix an authentication bypass flaw that grants access to the server by just telling it that the procedure was a success.
The libssh library enables support of the Secure Shell (SSH) protocol in applications, allowing an encrypted connection between clients and servers.
Discovered by Peter Winter-Smith of NCC Group, the vulnerability received the identification number CVE-2018-10933 and it affects the server part of libssh.
Laughably easy to exploit is an understatement
Leveraging it is a simple matter of presenting the server with the SSH2_MSG_USERAUTH_SUCCESS message, which shows that the login already occurred without a problem.
The server expects the message SSH2_MSG_USERAUTH_REQUEST to start the authentication procedure, but by skipping it an attacker can log in without showing any credentials.
The trick is possible in library versions 0.6 and above, and there is no workaround available, informs an advisory on Thursday from the libssh team. The issue has been addressed in revisions 0.8.4 and 0.7.6 of the library.
Tally of affected servers unknown
A quick search for 'libssh' on Shodan shows that the libary is present on more than 6,000 systems available online. Amit Serper, head of research at security company Cybereason, filtered the results by introducing the default SSH port in the query, which dropped the number to around 3,000.
Errrr.... Uh-oh. pic.twitter.com/E4L6JInc0j
— Amit Serper (@0xAmit) October 16, 2018
It is important to note that these searches make no distinction between the various versions of libssh running on machines connected to the internet. The results showed that some of them used versions lower than 0.6, which are not affected by CVE-2018-10933, but include other bugs.
Code on GitHub is safe
One organization that relies on libssh is GitHub, albeit a custom implementation that does not use the SSH2_MSG_USERAUTH_SUCCESS message for authentication based on public key authentication method.
"Patches have been applied out of an abundance of caution, but [GitHub Enterprise] was never vulnerable to CVE-2018-10933," the company tweeted.
We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for. Patches have been applied out of an abundance of caution, but GHE was never vulnerable to CVE-2018-10933.
— GitHub Security (@GitHubSecurity) October 17, 2018
The simplicity of the bypass has not gone unnoticed, one user comparing it to a Jedi mind trick for the hacker world:
holy balls. this is incredible
— Fiora the Spooky (@FioraAeterna) October 16, 2018
the vulnerability literally works like this:
me: "can i log in?"
server: "no. you need a password."
me: "hacker voice i'm in"
server: "login successful. you're in" https://t.co/O3sSKpmkfX
Some of them liken the vulnerability to tricks seen in cartoons:
i'm logged in
— Ex (@xkeepah) October 16, 2018
no you aren't
yes i am
no you aren't
yes i am
no you aren't
no i'm not
yes you ar-- wait just a damn minute
Comments
Shadz - 5 years ago
Those tweets were funny! XD
Dominique1 - 5 years ago
Wow! This is stupid programming. The developers must have coded this flaw on purpose.