Saturday, October 20, 2018


For the past four years, thousands of servers may have been subject to an  extremely simple authentication bypass vulnerability. CVE-2018-10933 affects libssh versions since 0.6.0, an implementation library for Secure Shell (SSH) that was released in 2014. It is limited only to certain implementations of SSH and does not affect the widely-used OpenSSH. 
Still, all the attacker has to do is send the server the message SSH2_MSG_USERAUTH_SUCCESS" instead of "SSH2_MSG_USERAUTH_REQUEST" and they have full access. Experts are saying that the overall impact is small, given that OpenSSH is not impacted and a libssh patch has already been released. So how many systems are actually at risk? A quick Shodan search by one researcher returned 6,351 servers just by looking for "libssh". Another researcher added port 22 to the search, bringing the number down to 3,004. But this doesn't tell us how many systems are running vulnerable versions of of libssh. And really, pinning down an accurate number is not easy. Shodan doesn't cover everything that's out there and what's out on the internet can change in the blink of an eye. 

Figure 1. Shodan Search for libssh 0.6.0 Source:

We ran our search anyway and excluded the two patch versions that fix CVE-2018-10933, 0.7.6 and 0.8.4. Our total, 2,973, was only reduced by three for a total of 2,970 systems. Searching only for the first impacted version, 0.6.0, returned 1,259 systems. It’s not a large number, but that's still over a thousand systems that have not been properly patched in four years. These systems can also easily be found in a matter of minutes.

Figure 2. Shodan Search Result Details
If that isn't enough, take a second look at the figure above. Most of the identified systems are based in the United States and belong to major communications companies. Sure, the footprint of this vulnerability is pretty small, but it's exactly the type of low-hanging fruit attackers look for - made all the more enticing by the organizations that appear to be most affected. 
Thanks to Peraton for this information