Go Back   Web User Forums > Security > Security news and updates

Notices

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 18-10-18, 01:30
Madeline's Avatar
Madeline Madeline is offline
Top contributor
 
Join Date: Jan 2004
Location: Cymru
Posts: 52,104
Default Serious SSH bug lets crooks log in just by asking nicely…

Articles from Sophos' Naked Security andBleeping Computer about this:

Serious SSH bug lets crooks log in just by asking nicely… – Naked Security
Quote:
Big, bad, scary bug of the moment is CVE-2018-10933.

This is a serious flaw – in fact, it’s a very serious flaw – in a free software library called libssh.

The flaw is more than just serious – it’s scary, because it theoretically allows anyone to log into a server protected with libssh without entering a password at all.
Hacker: I'm logged in. New LibSSH Vulnerability: OK! I believe you.
Quote:
Newly released versions of the libssh library fix an authentication bypass flaw that grants access to the server by just telling it that the procedure was a success.

The libssh library enables support of the Secure Shell (SSH) protocol in applications, allowing an encrypted connection between clients and servers.
__________________
"I'm Irish. We think sideways." Spike Milligan. 1918 - 2002
Reply With Quote
  #2  
Old 19-10-18, 02:40
Madeline's Avatar
Madeline Madeline is offline
Top contributor
 
Join Date: Jan 2004
Location: Cymru
Posts: 52,104
Default Re: Serious SSH bug lets crooks log in just by asking nicely…

A video from Sophos' Naked Security:

The libssh “login with no password” bug – what you need to know [VIDEO] – Naked Security
__________________
"I'm Irish. We think sideways." Spike Milligan. 1918 - 2002
Reply With Quote
  #3  
Old 19-10-18, 21:49
Madeline's Avatar
Madeline Madeline is offline
Top contributor
 
Join Date: Jan 2004
Location: Cymru
Posts: 52,104
Default Re: Serious SSH bug lets crooks log in just by asking nicely…

The latest article from The Register about this:

F5: Don't panic but folks can slip past vulnerable firewall servers, thanks to libssh's credentials-optional 'security' • The Register
Quote:
Also: AWS on avoiding state machine slips

Updated Network box maker F5 has shipped some firewall gear that is potentially vulnerable to the libssh authentication-bypass bug.

That means anyone who can reach the at-risk systems over the network or internet can, depending on the configuration, tunnel through to backend infrastructure simply by asking nicely.
__________________
"I'm Irish. We think sideways." Spike Milligan. 1918 - 2002
Reply With Quote
  #4  
Old 20-10-18, 01:02
Madeline's Avatar
Madeline Madeline is offline
Top contributor
 
Join Date: Jan 2004
Location: Cymru
Posts: 52,104
Default Re: Serious SSH bug lets crooks log in just by asking nicely…

From libssh:

libssh 0.8.4 and 0.7.6 security and bugfix release – libssh
Quote:
This is an important security and maintenance release in order to address CVE-2018-10933.
__________________
"I'm Irish. We think sideways." Spike Milligan. 1918 - 2002
Reply With Quote
Reply

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT. The time now is 18:16.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Copyright Dennis Publishing 2010, All rights reserved