[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: libssh 0.8.4 and 0.7.6 to address CVE-2018-10933 is out
[Thread Prev] | [Thread Next]
- Subject: Re: libssh 0.8.4 and 0.7.6 to address CVE-2018-10933 is out
- From: Andreas Schneider <asn@xxxxxxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Fri, 19 Oct 2018 09:58:37 +0200
- To: libssh@xxxxxxxxxx
On Tuesday, 16 October 2018 16:20:43 CEST Andreas Schneider wrote:
> =======================================================================
> == Subject: Authentication bypass in server code
> ==
> == CVE ID#: CVE-2018-10933
> ==
> == Versions: All versions of libssh 0.6 and later
> ==
> == Summary: There is a vulnerability within the server code which
> == can enable a client to bypass the authentication
> == process and set the internal state machine maintained
> == by the library to authenticated, enabling the
> == (otherwise prohibited) creation of channels.
> ==
> =======================================================================
Hello,
we wanted to share some additional information.
We have two server examples in our source code which are not vulnerable
to the attack as they are tracking the authentication state explicitly.
examples/ssh_server_fork.c +239
/* A userdata struct for session. */
struct session_data_struct {
/* Pointer to the channel the session will allocate. */
ssh_channel channel;
int auth_attempts;
int authenticated;
};
The authenticated member tracks if a user is authenticated or not and
depending on this member variable it is allowed to work on a channel or not.
We hope people follow our examples :-)
libssh is part of oss-fuzz. The fuzzing server is in tests/fuzz. If someone
has more experience with fuzzing, help to extend it is much appreciated!
Thanks,
Andreas
--
Andreas Schneider asn@xxxxxxxxxxxxxx
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
| libssh 0.8.4 and 0.7.6 to address CVE-2018-10933 is out | Andreas Schneider <asn@xxxxxxxxxxxxxx> |