A lately discovered LibSSH vulnerability, that has been called as ‘comically bad’ by the safety scientist who found it, has been repaired. The vulnerability is extremely easy to abuse. Obviously, different scripts and tools have been published that permit vulnerable apparatuses to be found and the flaw to be abused.
If the LibSSH vulnerability is abused, which needs little expertise even without one of the published scripts, it would let an attacker start an attack and distantly execute code on a vulnerable system.
The LibSSH vulnerability, which would allow anybody to log in to a weak Linux/Unix server without having to provide a password, is as bad as it gets. The vulnerability was found by Peter Winter-Smith of NCC Group, who found that verification can be avoided by sending an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message. The server is expecting an SSH2_MSG_USERAUTH_REQUEST message but will suppose that verification has successfully taken place if the SSH2_MSG_USERAUTH_SUCCESS message is sent in its place.
As per the latest safety advisory published by LibSSH, “The SSH2_MSG_USERAUTH_SUCCESS handler is planned only for communication from the server to the customer.”
The vulnerability is being followed as CVE-2018-10933 and is present in LibSSH types 0.6 and later. The fault has been patched in types 0.8.4 and 0.7.6.
Even though the mistake is trivial to abuse, it is even easier using the scripts that have been issued. Leap Security has issued a script that searches for vulnerable appliances, and there are quite a lot of available that will abuse the vulnerability and permit any code to be run with absolutely no skill needed.
Although the mistake is of high-severity, luckily only a small number of appliances are vulnerable. Anybody running a vulnerable version must repair instantly. Failure to repair will almost certainly see the appliance compromised.