Very recently, we have been made aware of the remote vulnerability in libSSH.
At first, it didn’t worry us. However, it does now.
The exploitation of the flaw is trivial in nature, an attacker only needs to send an “SSH2_MSG_USERAUTH_SUCCESS” message to a server with an SSH connection enabled when it expects an “SSH2_MSG_USERAUTH_REQUEST” message.
The security advisory states: libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server with an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message (which the server would expect to initiate authentication), the attacker could successfully authenticate without any credentials.
At first, we didn’t seem too concerned because we didn’t know that we had libSSH installed on any of our servers or devices at the time. This however couldn’t be further from the truth, our firewalls and load balancers where most certainly affected.
F5 Networks released the following: https://support.f5.com/csp/article/K52868493
**Please run a scan on your network using “Nmap -p 22 subnet” to identify possible outdated libssh vulnerabilities. **
The Libssh maintainers addressed the flaw with the release of the libSSH versions 0.8.4 and 0.7.6.
References
https://www.guardicore.com/2018/10/libssh-new-vulnerability-allows-authentication-bypass
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10933