A critical vulnerability has emerged in the Secure Shell (SSH) library, Libssh, potentially allowing unauthorized access to vulnerable servers for the past four years. This issue, referred to as CVE-2018-10933, enables attackers to bypass authentication methods entirely, granting them administrative control without requiring a password.
This authentication bypass vulnerability was first introduced in Libssh version 0.6, released in early 2014, which means a significant number of enterprise servers could have been exposed to attacks during this period. However, it is important to note that more widely utilized protocols, such as OpenSSH, and implementations like GitHub’s version of Libssh, remain unaffected.
The nature of the exploit is notably simple due to a logical flaw in the code. An attacker can send an “SSH2_MSG_USERAUTH_SUCCESS” message to an SSH-enabled server when it expects an “SSH2_MSG_USERAUTH_REQUEST,” effectively deceiving the system into granting access without proper authentication.
This situation arises because Libssh fails to verify whether the successful login message originates from the server or the client. Consequently, if an external actor sends the SSH2 message indicative of a successful login, the Libssh library erroneously assumes that authentication was successful, thereby allowing potential attackers unobstructed access to the server.
GitHub, despite employing Libssh in its operations, has confirmed that its GitHub Enterprise and official website are exempt from this vulnerability. A representative clarified on social media that GitHub relies on a customized version of Libssh, which does not depend on the vulnerable SSH2 message for public key-based authentication.
Recent analyses via Shodan indicate that approximately 6,500 internet-facing servers may still be at risk due to this oversight, underscoring the urgency for action. The flaw was discovered by Peter Winter-Smith of NCC Group, who has responsibly reported the issue to the Libssh team. In response, Libssh has rolled out updates in versions 0.8.4 and 0.7.6, effectively addressing this vulnerability.
For businesses utilizing Libssh, particularly in server environments, it is highly recommended to update to the latest versions promptly to safeguard against potential exploitation.
Overall, this incident highlights pressing concerns in cybersecurity where even small errors in code can lead to extensive vulnerabilities. Understanding and mitigating such risks remain crucial for organizations relying on SSH protocol libraries and similar technologies, emphasizing the necessity of regular audits and updates in security frameworks to counter emerging threats.