Alert Logic® is actively researching a vulnerability found in the libssh server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access. Impact is expected to be limited to a relatively small number of servers, since only vulnerable versions of libssh running in server mode are vulnerable. The client mode is unaffected.
The CVE-2018-10933 vulnerability, first introduced in 2014 with the release of libssh version 0.6, is an authentication-bypass bug. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authenticate without any credentials.
On October 16, 2018, the vulnerability was made public by libssh, when they released a fix for the vulnerability on libssh 0.8.4 and 0.7.6.
Alert Logic Status and Coverage
After a complete check of the Alert Logic systems, we have determined that we are not impacted as we do not run the vulnerable version of libssh. In addition, the Alert Logic appliance is not vulnerable.
Due to the nature of this vulnerability, vulnerability scanning is the primary method for customer detection. Alert Logic is currently developing scanning coverage to identify vulnerable assets.
Recommendations for Mitigation
The only method to mitigate this vulnerability is to upgrade to a non-vulnerable version of libssh – either 0.7.6 or 0.8.4. In addition, any user running a vulnerable version of libssh in server mode should conduct a thorough audit of their network.
We will update this section with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of this article.
Note: You must sign in with your Alert Logic product credentials to follow this article.
10/19/18: Vulnerability scan coverage is now available to identify vulnerable assets.