Overview
This is a server authentication bypass vulnerability that allows a client to create unauthorized channels. An attacker can trick the server into accepting successful user authentication from a client that lacks valid credentials. The extent of vulnerability can be severe depending on the permission granted to the SSH server.
Details
Servers that utilize libssh for implementing SSH remote login can be exploited by an unauthorized client. The remote client sends user credentials to the server when the authentication process is triggered. This is done by sending an SSH2_MSG_USERAUTH_REQUEST message that contains the credentials. The attacker, a remote client, bypasses this step and sends a success message instead. The success message SSH2_MSG_USERAUTH_SUCCESS tells the server that the user is already authenticated. However, such communications are only intended to be sent by a server —not a client. The server fails to differentiate between clients and servers because it uses the same state machine for authentication. Once the malicious client is mistaken for a server and succeeds in sending the authentication success message, the server’s session object becomes authenticated. This allows the attacker to connect to shell and open it if desired.
Affected Environments
Any server running libssh version 0.6 and above without the update versions 0.8.4 and 0.7.6 is susceptible to the attack. Some products from the following vendor are known to have been affected: Red Hat Ubuntu Oracle
Remediation
Update to libssh versions 0.7.6 and 0.8.4
Prevention
Scan for vulnerability in host systems using libssh Customize library to remove pubkey-based authorization