libssh Server-Side State Machine Unauthorized Access Vulnerability [CVE-2018-10933]
CVE Number – CVE-2018-10933
A vulnerability in libssh could allow an unauthenticated, remote attacker to bypass authentication on a targeted system.
The vulnerability is due to improper authentication operations by the server-side state machine of the affected software. An attacker could exploit this vulnerability by presenting a SSH2_MSG_USERAUTH_SUCCESS message to a targeted system. A successful exploit could allow the attacker to bypass authentication and gain unauthorized access to a targeted system.
libssh.org has confirmed the vulnerability and released software updates.
-
To exploit this vulnerability, the attacker may need access to trusted or internal networks. This access requirement could limit the likelihood of a successful exploit.
-
Administrators are advised to apply the appropriate updates.
Administrators are advised to restrict network access to affected systems.
Administrators are advised to monitor affected systems.
-
libssh.org has released a security advisory at the following link: libssh 0.8.4 and 0.7.6 security and bugfix release
-
libssh.org has released software updates at the following link: libssh downloads
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.