Security researcher Peter Winter-Smith discovered a four-year-old authentication bypass vulnerability in the server code of libssh versions 0.6 and above. According to Winter-Smith’s tweet, “The root cause is that the libSSH server and client share a state machine, so packets designed only to be processed by and update the client state can update the server state.” In the security advisory for CVE-2018-10933, Winter-Smith summarized, “There is a vulnerability within the server code which can enable a client to bypass the authentication process and set the internal state machine maintained by the library to authenticated, enabling the (otherwise prohibited) creation of channels.” An attacker could authenticate without credentials by presenting the server with an SSH2_MSG_USERAUTH_SUCCESS message, rather than the expected SSH2_MSG_USERAUTH_REQUEST message, which initiates authentication, though only those versions running in server mode are vulnerable.

Read full news article on Infosecurity