Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Thursday October 18 2018, @11:50AM   Printer-friendly
from the I-can-come-in-now dept.

Submitted via IRC for Bytram

Trivial authentication bypass in libssh leaves servers wide open

There’s a four-year-old bug in the Secure Shell implementation known as libssh that makes it trivial for just about anyone to gain unfettered administrative control of a vulnerable server. While the authentication-bypass flaw represents a major security hole that should be patched immediately, it wasn’t immediately clear what sites or devices were vulnerable since neither the widely used OpenSSH nor Github’s implementation of libssh was affected.

[...] only vulnerable versions of libssh running in server mode are vulnerable, while the client mode is unaffected. Peter Winter-Smith, a researcher at security firm NCC who discovered the bug and privately reported it to libssh developers, told Ars the vulnerability is the result of libssh using the same machine state to authenticate clients and servers. Because exploits involve behavior that’s safe in the client but unsafe in the server context, only servers are affected.

[...] Rob Graham, who is CEO of the Errata Security firm, said the vulnerability “is a big deal to us but not necessarily a big deal to the readers. It’s fascinating that such a trusted component as SSH now becomes your downfall.”

Winter-Smith agreed. “I suspect this will end up being a nomination for most overhyped bug, since half the people on Twitter seem to worry that it affects OpenSSH and the other half (quite correctly!) worry that GitHub uses libssh, when in fact GitHub isn’t vulnerable,” he said. “Remove GitHub and my guess is you’ll be left with a small handful of random sftp servers or IoT devices and little else!”

[...] The SSH2_MSG_USERAUTH_SUCCESS message is used by the server to inform the client that they were authenticated successfully, it updates the internal libssh state machine to mark the client as being authenticated with the server. What I found was that if the exact same message is sent to the server it updates the state machine to tell the server the client is authenticated.

Technically: I would say that it’s surprising how fairly straightforward bugs with serious consequences can still lurk, and sometimes it pays to take a step back from fuzzing to try to understand how a protocol implementation works.

Again, anyone who runs a vulnerable version of libssh should patch immediately. And anyone who used the app to receive incoming connections from untrusted users should consider closely examining their servers for signs of compromise. At the same time, all indications at the moment are that the number of devices affected by this high-severity bug appear to be relatively small, a limitation that's being lost on many people discussing this bug over social media.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by bob_super on Friday October 19 2018, @04:09PM

    by bob_super (1357) on Friday October 19 2018, @04:09PM (#750992)

    Tazer
    Hammer
    Fire
    Nuke from orbit, to be sure

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2