SSH Authentication Bug Opens Door If You Say You're Logged-In

Due to a coding error, the libssh SSH authentication library would pass anyone who said they'd already successfully logged-in.

Christine Hall

October 18, 2018

2 Min Read
Libssh security vulnerability opens doors.

Another security vulnerability can be put in the "found and fixed" category. "Fixed," that is, if vulnerable servers apply the patch. The good news is that most servers aren't going to be affected, which narrows the problem down to mere thousands. It could have been much worse.

The problem was with libssh, the popular library for supporting the Secure Shell (SSH) authentication protocol, which due to a coding error would believe anyone who told it their login had already been authenticated and open the access door wide.

Technically speaking, the libssh SSH authentication process is usually started with the message "SSH2_MSG_USERAUTH_REQUEST", but if sent "SSH2_MSG_USERAUTH_SUCCESS" instead, the server would take this as all the proof it needed that the user had already successfully been authenticated.


The bug, officially CVE-2018-10933, was discovered by Peter Winter-Smith, a researcher at security firm NCC, who then reported it to libssh developers. The devs pushed out versions 0.8.4 and 0.7.6 to address the issue last Tuesday, as well as patches for older versions.

Only server installations need to be patched, as client installs are not vulnerable.

This could have had a nasty ending. The vulnerability had been present since the release of version 0.6.0, which was released in January 2014, but evidently escaped being discovered by the black hats. The potential scope of the exploit was reduced because most servers, IoT devices, and personal computers use the openssh library instead of libssh to implement SSH.

The latter does much to limit the scope of this exploit. According to Amit Serper, who is head of security research at Cybereason, the vulnerability affects a minimum of 3,000 servers (up to about 6,000), but those numbers are only a drop in the serverland bucket.

It could have also been much worse had GitHub, which uses libssh, been affected. Fortunately, GitHub has customized its implementation and doesn't use the SSH2_MSG_USERAUTH_SUCCESS message.

"Patches have been applied out of an abundance of caution," GitHub security said in a tweet, "but GHE was never vulnerable to CVE-2018-10933."

If they had been vulnerable, attackers could have gained access to its customers source code, which includes the code from some of the largest development houses in the world.


About the Author(s)

Christine Hall

Freelance author

Christine Hall has been a journalist since 1971. In 2001 she began writing a weekly consumer computer column and began covering IT full time in 2002, focusing on Linux and open source software. Since 2010 she's published and edited the website FOSS Force. Follow her on Twitter: @BrideOfLinux.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like