CVE-2018-10933 - Bypass SSH Authentication - libssh vulnerability
Clash Royale CLAN TAG#URR8PPP
up vote
6
down vote
favorite
Looks like CVE-2018-10933 was just released today and you can find a summary here from libssh here
Summary:
libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.
I am trying to understand this more and its range of impact. Do Operating Systems like Debian, Ubunutu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack? Also, does OpenSSH rely on libssh or are they two separate implementations? I tried looking for openssh v.s. libssh but couldn't find what I was looking for. This vulnerability sounds like the worst case scenario for SSH so I am just surprised it hasn't been making headlines or blowing up. The summary of this vuln is vague so I'm looking for any insight into the range of impact and in what scenarios I should be worried.
Thanks
authentication ssh vulnerability
New contributor
add a comment |Â
up vote
6
down vote
favorite
Looks like CVE-2018-10933 was just released today and you can find a summary here from libssh here
Summary:
libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.
I am trying to understand this more and its range of impact. Do Operating Systems like Debian, Ubunutu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack? Also, does OpenSSH rely on libssh or are they two separate implementations? I tried looking for openssh v.s. libssh but couldn't find what I was looking for. This vulnerability sounds like the worst case scenario for SSH so I am just surprised it hasn't been making headlines or blowing up. The summary of this vuln is vague so I'm looking for any insight into the range of impact and in what scenarios I should be worried.
Thanks
authentication ssh vulnerability
New contributor
add a comment |Â
up vote
6
down vote
favorite
up vote
6
down vote
favorite
Looks like CVE-2018-10933 was just released today and you can find a summary here from libssh here
Summary:
libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.
I am trying to understand this more and its range of impact. Do Operating Systems like Debian, Ubunutu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack? Also, does OpenSSH rely on libssh or are they two separate implementations? I tried looking for openssh v.s. libssh but couldn't find what I was looking for. This vulnerability sounds like the worst case scenario for SSH so I am just surprised it hasn't been making headlines or blowing up. The summary of this vuln is vague so I'm looking for any insight into the range of impact and in what scenarios I should be worried.
Thanks
authentication ssh vulnerability
New contributor
Looks like CVE-2018-10933 was just released today and you can find a summary here from libssh here
Summary:
libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.
I am trying to understand this more and its range of impact. Do Operating Systems like Debian, Ubunutu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack? Also, does OpenSSH rely on libssh or are they two separate implementations? I tried looking for openssh v.s. libssh but couldn't find what I was looking for. This vulnerability sounds like the worst case scenario for SSH so I am just surprised it hasn't been making headlines or blowing up. The summary of this vuln is vague so I'm looking for any insight into the range of impact and in what scenarios I should be worried.
Thanks
authentication ssh vulnerability
authentication ssh vulnerability
New contributor
New contributor
New contributor
asked 2 hours ago
User0813484
311
311
New contributor
New contributor
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
4
down vote
... does OpenSSH rely on libssh
OpenSSH does not rely on libssh.
I tried looking for openssh v.s. libssh ...
Actually, a search for openssh libssh gives me as first hit: OpenSSH/Development which includes for libssh the following statement : "... libssh is an independent project ..."
Also, if OpenSSH would be affected you can sure that you would find such information at the official site for OpenSSH, which has explicitly a page about OpenSSH Security.
Do Operating Systems like Debian, Ubunutu rely on libssh for SSH ...
See the official documentation of libssh on who is using it (at least): KDE, GitHub...
You can also check which packages on your own OS use libssh, i.e. for Debian and similar (i.e. Ubuntu) this would be apt rdepends libssh-4
. Note that this only shows dependencies and might show packages which are not installed on your system.
Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
â AndrolGenhald
2 hours ago
add a comment |Â
up vote
0
down vote
Do Operating Systems like Debian, Ubuntu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack?
The issues may arise with applications that use libssh. As stated on the libssh website: "libssh is a C library that enables you to write a program that uses the SSH protocol." Thus, it is user applications that make use of the libssh library that could be vulnerable, not the operating system itself. Here are some applications that use libssh (from the libssh website):
- KDE uses libssh for the sftp file transfers
- GitHub implemented their git ssh server with libssh
- X2Go is a Remote Desktop solution for Linux
Also, does OpenSSH rely on libssh or are they two separate implementations?
As stated here on the OpenSSH website: "OpenSSH relies on the LibreSSL library for some of it's routines..." I.e., OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh.
The libcrypto part?
â hft
2 hours ago
Yes, only the libcrypto part.
â Steffen Ullrich
2 hours ago
"OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
â Steffen Ullrich
1 hour ago
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
... does OpenSSH rely on libssh
OpenSSH does not rely on libssh.
I tried looking for openssh v.s. libssh ...
Actually, a search for openssh libssh gives me as first hit: OpenSSH/Development which includes for libssh the following statement : "... libssh is an independent project ..."
Also, if OpenSSH would be affected you can sure that you would find such information at the official site for OpenSSH, which has explicitly a page about OpenSSH Security.
Do Operating Systems like Debian, Ubunutu rely on libssh for SSH ...
See the official documentation of libssh on who is using it (at least): KDE, GitHub...
You can also check which packages on your own OS use libssh, i.e. for Debian and similar (i.e. Ubuntu) this would be apt rdepends libssh-4
. Note that this only shows dependencies and might show packages which are not installed on your system.
Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
â AndrolGenhald
2 hours ago
add a comment |Â
up vote
4
down vote
... does OpenSSH rely on libssh
OpenSSH does not rely on libssh.
I tried looking for openssh v.s. libssh ...
Actually, a search for openssh libssh gives me as first hit: OpenSSH/Development which includes for libssh the following statement : "... libssh is an independent project ..."
Also, if OpenSSH would be affected you can sure that you would find such information at the official site for OpenSSH, which has explicitly a page about OpenSSH Security.
Do Operating Systems like Debian, Ubunutu rely on libssh for SSH ...
See the official documentation of libssh on who is using it (at least): KDE, GitHub...
You can also check which packages on your own OS use libssh, i.e. for Debian and similar (i.e. Ubuntu) this would be apt rdepends libssh-4
. Note that this only shows dependencies and might show packages which are not installed on your system.
Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
â AndrolGenhald
2 hours ago
add a comment |Â
up vote
4
down vote
up vote
4
down vote
... does OpenSSH rely on libssh
OpenSSH does not rely on libssh.
I tried looking for openssh v.s. libssh ...
Actually, a search for openssh libssh gives me as first hit: OpenSSH/Development which includes for libssh the following statement : "... libssh is an independent project ..."
Also, if OpenSSH would be affected you can sure that you would find such information at the official site for OpenSSH, which has explicitly a page about OpenSSH Security.
Do Operating Systems like Debian, Ubunutu rely on libssh for SSH ...
See the official documentation of libssh on who is using it (at least): KDE, GitHub...
You can also check which packages on your own OS use libssh, i.e. for Debian and similar (i.e. Ubuntu) this would be apt rdepends libssh-4
. Note that this only shows dependencies and might show packages which are not installed on your system.
... does OpenSSH rely on libssh
OpenSSH does not rely on libssh.
I tried looking for openssh v.s. libssh ...
Actually, a search for openssh libssh gives me as first hit: OpenSSH/Development which includes for libssh the following statement : "... libssh is an independent project ..."
Also, if OpenSSH would be affected you can sure that you would find such information at the official site for OpenSSH, which has explicitly a page about OpenSSH Security.
Do Operating Systems like Debian, Ubunutu rely on libssh for SSH ...
See the official documentation of libssh on who is using it (at least): KDE, GitHub...
You can also check which packages on your own OS use libssh, i.e. for Debian and similar (i.e. Ubuntu) this would be apt rdepends libssh-4
. Note that this only shows dependencies and might show packages which are not installed on your system.
edited 2 hours ago
answered 2 hours ago
Steffen Ullrich
108k12185252
108k12185252
Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
â AndrolGenhald
2 hours ago
add a comment |Â
Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
â AndrolGenhald
2 hours ago
Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
â AndrolGenhald
2 hours ago
Since KDE uses it for SFTP I'm guessing they don't use the server code. Must have been fun for GitHub to hear about though...
â AndrolGenhald
2 hours ago
add a comment |Â
up vote
0
down vote
Do Operating Systems like Debian, Ubuntu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack?
The issues may arise with applications that use libssh. As stated on the libssh website: "libssh is a C library that enables you to write a program that uses the SSH protocol." Thus, it is user applications that make use of the libssh library that could be vulnerable, not the operating system itself. Here are some applications that use libssh (from the libssh website):
- KDE uses libssh for the sftp file transfers
- GitHub implemented their git ssh server with libssh
- X2Go is a Remote Desktop solution for Linux
Also, does OpenSSH rely on libssh or are they two separate implementations?
As stated here on the OpenSSH website: "OpenSSH relies on the LibreSSL library for some of it's routines..." I.e., OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh.
The libcrypto part?
â hft
2 hours ago
Yes, only the libcrypto part.
â Steffen Ullrich
2 hours ago
"OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
â Steffen Ullrich
1 hour ago
add a comment |Â
up vote
0
down vote
Do Operating Systems like Debian, Ubuntu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack?
The issues may arise with applications that use libssh. As stated on the libssh website: "libssh is a C library that enables you to write a program that uses the SSH protocol." Thus, it is user applications that make use of the libssh library that could be vulnerable, not the operating system itself. Here are some applications that use libssh (from the libssh website):
- KDE uses libssh for the sftp file transfers
- GitHub implemented their git ssh server with libssh
- X2Go is a Remote Desktop solution for Linux
Also, does OpenSSH rely on libssh or are they two separate implementations?
As stated here on the OpenSSH website: "OpenSSH relies on the LibreSSL library for some of it's routines..." I.e., OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh.
The libcrypto part?
â hft
2 hours ago
Yes, only the libcrypto part.
â Steffen Ullrich
2 hours ago
"OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
â Steffen Ullrich
1 hour ago
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Do Operating Systems like Debian, Ubuntu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack?
The issues may arise with applications that use libssh. As stated on the libssh website: "libssh is a C library that enables you to write a program that uses the SSH protocol." Thus, it is user applications that make use of the libssh library that could be vulnerable, not the operating system itself. Here are some applications that use libssh (from the libssh website):
- KDE uses libssh for the sftp file transfers
- GitHub implemented their git ssh server with libssh
- X2Go is a Remote Desktop solution for Linux
Also, does OpenSSH rely on libssh or are they two separate implementations?
As stated here on the OpenSSH website: "OpenSSH relies on the LibreSSL library for some of it's routines..." I.e., OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh.
Do Operating Systems like Debian, Ubuntu rely on libssh for SSH and if they do does that mean every server exposing SSH is vulnerable to this attack?
The issues may arise with applications that use libssh. As stated on the libssh website: "libssh is a C library that enables you to write a program that uses the SSH protocol." Thus, it is user applications that make use of the libssh library that could be vulnerable, not the operating system itself. Here are some applications that use libssh (from the libssh website):
- KDE uses libssh for the sftp file transfers
- GitHub implemented their git ssh server with libssh
- X2Go is a Remote Desktop solution for Linux
Also, does OpenSSH rely on libssh or are they two separate implementations?
As stated here on the OpenSSH website: "OpenSSH relies on the LibreSSL library for some of it's routines..." I.e., OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh.
edited 2 hours ago
answered 2 hours ago
hft
1,199617
1,199617
The libcrypto part?
â hft
2 hours ago
Yes, only the libcrypto part.
â Steffen Ullrich
2 hours ago
"OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
â Steffen Ullrich
1 hour ago
add a comment |Â
The libcrypto part?
â hft
2 hours ago
Yes, only the libcrypto part.
â Steffen Ullrich
2 hours ago
"OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
â Steffen Ullrich
1 hour ago
The libcrypto part?
â hft
2 hours ago
The libcrypto part?
â hft
2 hours ago
Yes, only the libcrypto part.
â Steffen Ullrich
2 hours ago
Yes, only the libcrypto part.
â Steffen Ullrich
2 hours ago
"OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
â Steffen Ullrich
1 hour ago
"OpenSSH states that they use parts of LibreSSL (the libcrypto part), but not libssh" - in the link you provide OpenSSH only states that it uses LibreSSL. It does not state that it does not use libssh and in my opinion this conclusion can also not be drawn from what they write there.
â Steffen Ullrich
1 hour ago
add a comment |Â
User0813484 is a new contributor. Be nice, and check out our Code of Conduct.
User0813484 is a new contributor. Be nice, and check out our Code of Conduct.
User0813484 is a new contributor. Be nice, and check out our Code of Conduct.
User0813484 is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195834%2fcve-2018-10933-bypass-ssh-authentication-libssh-vulnerability%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password