[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: libssh 0.8.4 and 0.7.6 to address CVE-2018-10933 is out


On Tuesday, 16 October 2018 16:20:43 CEST Andreas Schneider wrote:
> =======================================================================
> == Subject:    Authentication bypass in server code
> ==
> == CVE ID#:    CVE-2018-10933
> ==
> == Versions:   All versions of libssh 0.6 and later
> ==
> == Summary:    There is a vulnerability within the server code which
> ==             can enable a client to bypass the authentication
> ==             process and set the internal state machine maintained
> ==             by the library to authenticated, enabling the
> ==             (otherwise prohibited) creation of channels.
> ==
> =======================================================================

Hello,

we wanted to share some additional information.

We have two server examples in our source code which are not vulnerable
to the attack as they are tracking the authentication state explicitly.

   examples/ssh_server_fork.c +239

   /* A userdata struct for session. */
    struct session_data_struct {
        /* Pointer to the channel the session will allocate. */
        ssh_channel channel;
        int auth_attempts;
        int authenticated;
    };


The authenticated member tracks if a user is authenticated or not and
depending on this member variable it is allowed to work on a channel or not.

We hope people follow our examples :-)


libssh is part of oss-fuzz. The fuzzing server is in tests/fuzz. If someone 
has more experience with fuzzing, help to extend it is much appreciated!


Thanks,


	Andreas

 
-- 
Andreas Schneider                 asn@xxxxxxxxxxxxxx
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D



References:
libssh 0.8.4 and 0.7.6 to address CVE-2018-10933 is outAndreas Schneider <asn@xxxxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org