微慑信息网

SSH登陆验证绕过漏洞CVE-2018-10933

SSH登陆验证绕过漏洞CVE-2018-10933

2018年10月17日,阿里云云盾应急响应中心监测到libssh官方发布安全公告,披露了一个SSH2登陆身份验证绕过漏洞(CVE-2018-10933)。攻击者利用漏洞可以在没有任何凭据的情况下成功进行身份验证,甚至可能登陆SSH。

漏洞描述

libssh版本0.6及更高版本在服务端代码中具有身份验证绕过漏洞。

通过向服务端发送SSH2_MSG_USERAUTH_SUCCESS消息来代替服务端期望启动身份验证的SSH2_MSG_USERAUTH_REQUEST消息,攻击者可以在没有任何凭据的情况下成功进行身份验证,甚至可能登陆SSH,入侵服务器。

影响范围

libssh0.6及以上的版本

风险评级

CVE-2018-10933:严重

安全建议

目前各大发行版OS暂未发布相应的package补丁,云盾提供临时解决方案参考如下:

方案一:

下载官方patch文件:https://www.libssh.org/security/,重新安装libssh修复漏洞

方案二:

在各大发行版OS发布相应的package补丁前,建议禁止SSH对外,或使用阿里云控制台远程连接管理服务器

禁止SSH对外,只针对特定允许的ip开放访问权限,可通过安全组配置,参考如下:

我们会关注后续进展,请随时关注官方公告。如有任何问题,可随时通过工单或服务电话027-87498031联系反馈。

武汉捷讯信息技术有限公司是一家专门从事互联网服务、软件开发、计算机和通信系统集成及电信增值业务的高科技互联网企业,官方授权唯一指定阿里云湖北授权服务中心、阿里云区域服务提供商,请各位有需求的客户,认准官网,全国咨询热线:027-87498031。

 

CVE-2018-10933

=======================================================================
== Subject:    Authentication bypass in server code
==
== CVE ID#:    CVE-2018-10933
==
== Versions:   All versions of libssh 0.6 and later
==
== Summary:    There is a vulnerability within the server code which
==             can enable a client to bypass the authentication
==             process and set the internal state machine maintained
==             by the library to authenticated, enabling the
==             (otherwise prohibited) creation of channels.
==
=======================================================================

===========
Description
===========

libssh versions 0.6 and above have an authentication bypass vulnerability in
the server code.  By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message
in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect
to initiate authentication, the attacker could successfully authentciate
without any credentials.

The bug was discovered by Peter Winter-Smith of NCC Group.

==================
Patch Availability
==================

Patches addressing the issue have been posted to:

    https://www.libssh.org/

libssh version 0.8.4 and libssh 0.7.6 have been released to address this issue.

==========
Workaround
==========

There is no workaround for this issue.

=======
Credits
=======

The bug was discovered by Peter Winter-Smith of NCC Group.

Patches are provided by the Anderson Toshiyuki Sasaki of Red Hat and the libssh
team.

==========================================================
== The libssh team
==========================================================

测试代码:

https://github.com/blacknbunny/libSSH-Authentication-Bypass

 

赞(0) 打赏
转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » SSH登陆验证绕过漏洞CVE-2018-10933

评论 抢沙发

微慑信息网 专注工匠精神

微慑信息网-VulSee.com-关注前沿安全态势,聚合网络安全漏洞信息,分享安全文档案例

访问我们联系我们

觉得文章有用就打赏一下文章作者

非常感谢你的打赏,我们将继续提供更多优质内容,让我们一起创建更加美好的网络世界!

支付宝扫一扫打赏

微信扫一扫打赏

登录

找回密码

注册