====================================================================


                             CERT-Renater

                 Note d'Information No. 2018/VULN336
_____________________________________________________________________

DATE                : 19/10/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running libssh versions prior to 0.8.4,
                                           0.7.6.

=====================================================================
https://www.libssh.org/archive/libssh/2018-10/0000021.html
_____________________________________________________________________

=======================================================================
== Subject:    Authentication bypass in server code
==
== CVE ID#:    CVE-2018-10933
==
== Versions:   All versions of libssh 0.6 and later
==
== Summary:    There is a vulnerability within the server code which
==             can enable a client to bypass the authentication
==             process and set the internal state machine maintained
==             by the library to authenticated, enabling the
==             (otherwise prohibited) creation of channels.
==
=======================================================================

===========
Description
===========

libssh versions 0.6 and above have an authentication bypass
vulnerability in the server code.  By presenting the server an
SSH2_MSG_USERAUTH_SUCCESS message in place of the
SSH2_MSG_USERAUTH_REQUEST message which the server would
expect to initiate authentication, the attacker could successfully
authentciate without any credentials.

The bug was discovered by Peter Winter-Smith of NCC Group.

==================
Patch Availability
==================

Patches addressing the issue have been posted to:

    https://www.libssh.org/

libssh version 0.8.4 and libssh 0.7.6 have been released to address this
issue.

==========
Workaround
==========

There is no workaround for this issue.

=======
Credits
=======

The bug was discovered by Peter Winter-Smith of NCC Group.

Patches are provided by the Anderson Toshiyuki Sasaki of Red Hat and the
libssh team.

==========================================================
== The libssh team
==========================================================


https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================