A lately discovered LibSSH weakness, that has been called as ‘comically bad’ by the safety scientist who found it, has been repaired. The fault is extremely easy to abuse. Obviously, different scripts and tools have been published that permit weak apparatuses to be found and the fault to be abused.
If the LibSSH weakness is abused, which needs little expertise even without one of the published scripts, it would let an attacker start an attack and distantly execute code on a weak system.
The LibSSH weakness, which would allow anybody to login to a weak Linux/Unix server without having to provide a password, is as bad as it gets. The fault was found by Peter Winter-Smith of NCC Group, who found that verification can be avoided by sending an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message. The server is expecting an SSH2_MSG_USERAUTH_REQUEST message but will suppose that verification has successfully taken place if the SSH2_MSG_USERAUTH_SUCCESS message is sent in its place.
As per the latest safety advisory published by LibSSH, “The SSH2_MSG_USERAUTH_SUCCESS handler is planned only for communication from the server to the customer.”
The weakness is being followed as CVE-2018-10933 and is present in LibSSH types 0.6 and later. The fault has been patched in types 0.8.4 and 0.7.6.
Even though the fault is trivial to abuse, it is even easier using the scripts that have been issued. Leap Security has issued a script that searches for weak appliances, and there are quite a lot of available that will abuse the weakness and permit any code to be run with absolutely no skill needed.
Although the fault is of high-severity, luckily only a small number of appliances are weak. Anybody running a weak version must repair instantly. Failure to repair will almost certainly see the appliance compromised.