Trivial authentication bypass in libssh leaves servers wide open
There’s a four-year-old bug in the Secure Shell implementation known as libssh that makes it trivial for just about anyone to gain unfettered administrative control of a vulnerable server. While the authentication-bypass flaw represents a major security hole that should be patched immediately, it wasn’t immediately clear what sites or devices were vulnerable since neither the widely used OpenSSH nor Github’s implementation of libssh was affected.
The vulnerability, which was introduced in libssh version 0.6 released in 2014 makes it possible to log in by presenting a server with a SSH2_MSG_USERAUTH_SUCCESS message rather than the SSH2_MSG_USERAUTH_REQUEST message the server was expecting, according to an advisory published Tuesday. Exploits are the hacking equivalent of a Jedi mind trick, in which an adversary uses the Force to influence or confuse weaker-minded opponents. The last time the world saw an authentication-bypass bug with such serious consequences and requiring so little effort was 11 months ago, when Apple’s macOS let people log in as admin without entering a password.
The effects of malicious exploits, assuming there were any during the four-plus years the bug was active, are hard to fathom. In a worst-case scenario, attackers would be able to use exploits to gain complete control over vulnerable servers. The attackers could then steal encryption keys and user data, install rootkits and erase logs that recorded the unauthorized access. Anyone who has used a vulnerable version of libssh in server mode should consider conducting a thorough audit of their network immediately after updating.