If someone knocks on your door, it would be reasonable to determine who it might be. Upon asking “who is it?”, if they were to respond with “I can come in!” you may be taken aback and make additional attempts to work out who it actually is.
SSH, or Secure Socket Shell is a protocol which provides a secure method of administering remote devices. A recently discovered vulnerability (CVE-2018-10933) affecting versions 0.6 and above of LibSSH, allows an attacker to entirely bypass the authentication process. The authentication exchange happens similar to the example above. Should the client send the appropriate message, access will be granted regardless of the authentication information provided.
In a typical authentication exchange, the server expects the user to present a “SSH2_MSG_USERAUTH_REQUEST” message indicating that authentication needs to take place. Should the user instead provide a “SSH2_MSG_USERAUTH_SUCCESS” message, the server will assume that authentication has already taken place and grant access to the user.
The use of LibSSH is generally limited, as it is not the default SSH daemon shipped in common Linux distributions; however, if you are utilising LibSSH for any business workflows, you may be vulnerable. Organisations presenting SSH services externally should determine whether LibSSH is in use and apply the appropriate patches as a matter of priority.
Due to the severity of the vulnerability, any devices which are vulnerable have a high likelihood of becoming compromised, potentially impacting the Confidentiality, Integrity and Availability of any associated services.
LibSSH have released versions 0.8.4 and 0.7.6 which address CVE-2018-10933 and several other security issues. These may be downloaded directly from https://www.libssh.org/files/ and installed on all affected devices.
OpenSSH is not affected by this vulnerability; however, it is recommended that management services are restricted when published to the internet through the implementation of address whitelisting. Where this is not possible, certificate-based authentication should be used.
Immediate remediation of critical vulnerabilities can be a significant task. It is vital that organisations understand the services which are being exposed to the internet and how they are being used. In addition, developing the appropriate policies and supporting procedures to facilitate critical security patching will further ease the remediation process in the future.
For more information on the identified vulnerability, the official security advisory may be accessed at https://www.libssh.org/security/advisories/CVE-2018-10933.txt.
If the above information raises any concerns within your organisation or you would like to discuss any of the issues with someone from CQR please email firstname.lastname@example.org