- April 19, 2021: Updated Open Port findings search instructions.
LibSSH is an open source implementation of the SSH protocol. It is not a standalone product, but a library that handles server-side login procedures. It’s used by vendors such as GitHub, KDE, X2Go, some systems from Red Hat.
LibSSH versions 0.6 and above have an authentication bypass vulnerability in the server code. The LibSSH vulnerability was introduced in LibSSH version 0.6 released in January of 2014. The library fails to validate, fails to check if the authentication process has been completed, and can’t determine if the incoming “successful login” packet was sent by the server or the client. Attackers could then steal encryption keys, access user data, install rootkits, and erase logs that recorded the unauthorized access.
Learn more in CVE-2018-10933.
- A product that has been confirmed to be affected is Red Hat Enterprise Linux 7. Cisco is investigating their product line to determine which products may be affected.
- There are publicly known exploits for this vulnerability and it is being actively exploited.
- While GitHub uses LibSSH, it is using a custom implementation that does not use the vulnerable message for authentication based on public key authentication method, and should therefore not be vulnerable.
- Most servers, IoT devices, and personal computers prefer to implement SSH support via the OpenSSH library instead of LibSSH. The vulnerability is only present in the LibSSH server-side code. A LibSSH-based client won't allow an attacker access to your system unless the client is also configured to run as an SSH server.
The LibSSH team addressed the vulnerability with the release of versions 0.8.4 and 0.7.6. If you have LibSSH installed and you are using the server component, you are encouraged to conduct a thorough audit of your network and to apply these patches. If patches are unavailable, limiting exposure as a temporary workaround is recommended.
- Search among your Open Port findings to detect this vulnerability in your organization.
- To see if a company in your portfolio is vulnerable, go to your portfolio, and then search for “CVE-2018-10933” within the Vulnerability filter.
We have visibility of SSH systems reporting a vulnerable version of LibSSH. This visibility may not be complete, as some systems may not report the use of the library despite using it. Other systems may report a vulnerable version while having been already patched.