Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
rcmaehl

[UPDATE: Cisco Statement] Passwords Please - SSH vulnerability allows hackers to access any device by asking nicely

Recommended Posts

Posted · Original PosterOP

Update:
Cisco Statement
 

Quote

Affected Products
Cisco is investigating its product line to determine which products may be affected by this vulnerability.
 

Products Under Investigation
The following products are under active investigation to determine whether they are affected by the vulnerability that is described in this advisory:

  • Collaboration and Social Media
    • Cisco Webex Meetings Server
  • Endpoint Clients and Client Software
    • Cisco Jabber Guest
  • Network Application, Service, and Acceleration
    • Cisco Adaptive Security Appliance (ASA) Software
    • Cisco Cloud Services Platform 2100
  • Network and Content Security Devices
    • Cisco ASA Next-Generation Firewall Services
    • Cisco Email Security Appliance (ESA)
    • Cisco FireSIGHT System
    • Cisco Identity Services Engine (ISE)
  • Network Management and Provisioning
    • Cisco Elastic Services Controller (ESC)
    • Cisco Enterprise Service Automation
    • Cisco NetFlow Generation Appliance
    • Cisco Network Analysis Module
    • Cisco Policy Suite
    • Cisco Prime Access Registrar
    • Cisco Prime Collaboration Provisioning
    • Cisco Prime Infrastructure
    • Cisco Prime Network Registrar Virtual Appliance
    • Cisco Prime Network Registrar
    • Cisco Prime Performance Manager
    • Cisco WAN Automation Engine (WAE)
  • Routing and Switching - Enterprise and Service Provider
    • Cisco Application Policy Infrastructure Controller (APIC)
    • Cisco IOS XR Software for Cisco Network Convergence System 6000 Series Routers
    • Cisco IOS XR Software
    • Cisco Nexus 9000 Series Switches - Standalone, NX-OS mode
    • Cisco Nexus 9000 Series Switches
  • Unified Computing
    • Cisco UCS Director
  • Voice and Unified Communications Devices
    • Cisco IP Interoperability and Collaboration System (IPICS)
    • Cisco Management Heartbeat Server
    • Cisco Unified Communications Manager Session Management Edition
    • Cisco Unified Communications Manager
    • Cisco Unified Contact Center Express
  • Video, Streaming, TelePresence, and Transcoding Devices
    • Cisco Cloud Object Storage
    • Cisco DCM Series D990x Digital Content Manager
    • Cisco Video Distribution Suite for Internet Streaming (VDS-IS/CDS-IS)
    • Cisco Video Surveillance 4300E and 4500E High-Definition IP Cameras
    • Cisco Video Surveillance Media Server
  • Wireless
    • Cisco Wireless LAN Controller
    • Cisco Cloud Hosted Services
    • Cisco Smart Software Manager Satellite
    • Cisco Virtual HetNet

Vulnerable Products
Cisco is investigating its product line to determine which products may be affected by this vulnerability. This section will be updated as information is available.

Products Confirmed Not Vulnerable
Cisco is investigating its product line to determine which products may be affected by this vulnerability. This section will be updated as information is available.


Sources:
libssh

Sophos

 

TL;DR:

By initializing a connection using SSH2_MSG_USERAUTH_SUCCESS instead of SSH2_MSG_USERAUTH_REQUEST, an attacker can bypass SSH authentication.

 

Media:

image.png.8412a249d63c0c40ab4d4f99223eb31f.png

 

Quotes/Excerpts:

Quote

CVE-2018-10933. A very serious flaw. It theoretically allows anyone to log into a server protected with libssh without entering a password. SSH is probably the most widely deployed remote access protocol in the world. Security holes in SSH are...the stuff of nightmares for many sysadmins. Here’s the good news. The most commonly used SSH version...is...OpenSSH. A completely separate implementation to libssh. Other...implementations... Dropbear, libssh2, and PuTTY...[don't] have this bug either. The bad news is that any server that is listening out for incoming SSH connections using libssh is at considerable risk of unauthorised access. The bug is comically bad, and in very simple terms it goes like this. When logging in, the client is supposed to chat to the server along these lines…
 

   Client → Server: HELLO-I-WOULD-LIKE-TO-START-AUTHENTICATING

   Client and server: [...a careful cryptographic dance is done by 
                          both sides to verify login credentials...]

   Server → Client: WELCOME-YOU-HAVE-PASSED-THE-TEST

But the bug means a client can just talk to a libssh server like this…

   Client → Server: WELCOME-YOU-HAVE-PASSED-THE-TEST

No password requested or required.

 

My Thoughts:

While libssh isn't the most common SSH library, it is among the top. How comically bad this bug is means libssh should probably have an audit of it's security practices. Let's hope not too many IoT devices use this library or we may have another Mirai botnet on our hands.


NotCPUCores Dev | Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 2933MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS


 

Link to post
Share on other sites

EternalBlue 2.0 when?


import shittyTechAdvice as RollTime

 

Link to post
Share on other sites

Oh shit

Link to post
Share on other sites

I honestly wonder if this is still an issue with password authentication disabled?  Whenever I install a new system, the very first thing I do with SSH is disable password auth.  Don't have a key?  You ain't gettin' in.  No ifs, no ands, no buts.  With that disabled, I wonder if the SSH server is still susceptible?

 

ETA: and yes, I know I'm not using libssh.  More a curiosity.

Link to post
Share on other sites

Oh boy. Now what version are many routers and switches using... We may be seeing a lot of emergency iOS patches for them lol


Use this guide to fix text problems in your postGo here and here for all your power supply needs

 

New Build Currently Under Construction! See here!!!! -----> 

 

Spoiler

Deathwatch:[CPU I7 4790K @ 4.5GHz][RAM TEAM VULCAN 16 GB 1600][MB ASRock Z97 Anniversary][GPU XFX Radeon RX 480 8GB][STORAGE 250GB SAMSUNG EVO SSD Samsung 2TB HDD 2TB WD External Drive][COOLER Cooler Master Hyper 212 Evo][PSU Cooler Master 650M][Case Thermaltake Core V31]

Spoiler

Cupid:[CPU Core 2 Duo E8600 3.33GHz][RAM 3 GB DDR2][750GB Samsung 2.5" HDD/HDD Seagate 80GB SATA/Samsung 80GB IDE/WD 325GB IDE][MB Acer M1641][CASE Antec][[PSU Altec 425 Watt][GPU Radeon HD 4890 1GB][TP-Link 54MBps Wireless Card]

Spoiler

Carlile: [CPU 2x Pentium 3 1.4GHz][MB ASUS TR-DLS][RAM 2x 512MB DDR ECC Registered][GPU Nvidia TNT2 Pro][PSU Enermax][HDD 1 IDE 160GB, 4 SCSI 70GB][RAID CARD Dell Perc 3]

Spoiler

Zeonnight [CPU AMD Athlon x2 4400][GPU Sapphire Radeon 4650 1GB][RAM 2GB DDR2]

Spoiler

Server [CPU 2x Xeon L5630][PSU Dell Poweredge 850w][HDD 1 SATA 160GB, 3 SAS 146GB][RAID CARD Dell Perc 6i]

Spoiler

Kero [CPU Pentium 1 133Mhz] [GPU Cirrus Logic LCD 1MB Graphics Controller] [Ram 48MB ][HDD 1.4GB Hitachi IDE]

Spoiler

Mining Rig: [CPU Athlon 64 X2 4400+][GPUS 9 RX 560s, 2 RX 570][HDD 160GB something][RAM 8GBs DDR3][PSUs 1 Thermaltake 700w, 2 Delta 900w 120v Server modded]

RAINBOWS!!!

 

 QUOTE ME SO I CAN SEE YOUR REPLYS!!!!

Link to post
Share on other sites

Sending SSH2_MSG_USERAUTH_SUCCESS instead of SSH2_MSG_USERAUTH_REQUEST is enough? Telnet would be nice since i have a device which i want to take ownership off to fix something without modding the firmware.

Link to post
Share on other sites
Posted · Original PosterOP
3 minutes ago, Windows7ge said:

Even if you're using public/private key authentication? I wouldn't be surprised if password only is easily bypassed but I'd expect keys to be trickier.

Technical details haven't been released but it's safe to assume if Key Auth uses the same function call then it'd be at risk. I'm going to have to read up on SSH auth processes


NotCPUCores Dev | Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 2933MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS


 

Link to post
Share on other sites
1 minute ago, rcmaehl said:

Technical details haven't been released but it's safe to assume if Key Auth uses the same function call then it'd be at risk. I'm going to have to read up on SSH auth processes

How might we check what library we're using? I'm not that Linux savvy.

Link to post
Share on other sites
1 minute ago, Windows7ge said:

How might we check what library we're using? I'm not that Linux savvy.

Most things, like the article mentions, too, don't use libssh, they use OpenSSH. Also, Ubuntu, at least, has already released a patch for this, and most likely all other major distros have or will in the next couple of days, too.


Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to post
Share on other sites
1 minute ago, Windows7ge said:

How might we check what library we're using? I'm not that Linux savvy.

just do a

 

ssh -v localhost

 

Link to post
Share on other sites
4 minutes ago, mynameisjuan said:

Until you realize how many devices have SSH open by default, mainly routers which are the main concern.

They generally use dropbear or OpenSSH, not libssh.


Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to post
Share on other sites
3 minutes ago, WereCatf said:

They generally use dropbear or wolfssl, not libssh.

Most router OSes are based on BSD which uses openssh. Yes they exist and yes this is a legitimate issue until more details are released. 

Link to post
Share on other sites
Just now, mynameisjuan said:

Most router OSes are based on BSD which uses openssh. Yes they exist and yes this is a legitimate issue.

OpenSSH is not vulnerable so no, this is mostly a non-issue for home-users.


Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to post
Share on other sites
2 minutes ago, Helibert said:

just do a

 


ssh -v localhost

 

I will have to try that when I get home. I actually recently had to create new keys on my server and I only distributed the new private key to my desktop. Still have to do it with every other machine I use like the laptop I'm on right now.

 

5 minutes ago, mynameisjuan said:

find /lib* /usr/lib* -name '*libssh*'

Hello again, but that sounds like it'd just tell me if I have it. Not if I'm actually using it.

Link to post
Share on other sites
3 minutes ago, WereCatf said:

OpenSSH is not vulnerable so no, this is mostly a non-issue for home-users.

Just did a quick google. I didnt realize openssh does not use libssh as a dependency and they are separate. Interesting. Well that sure shoots down the amount of equipment affected. 

Link to post
Share on other sites
2 minutes ago, Windows7ge said:

Hello again, but that sounds like it'd just tell me if I have it. Not if I'm actually using it.

If you want to see if its running I usually use 

ps -o pid,sess,cmd afx | egrep "ssh"

 

It not only shows whats running but what is using it. 

Link to post
Share on other sites
2 minutes ago, mynameisjuan said:

If you want to see if its running I usually use 

ps -o pid,sess,cmd afx | egrep "ssh"

 

It not only shows whats running but what is using it. 

I will try both then and see what shows up.

Our router is already a pos (to be replaced soon) and I don't trust it, but I'd like my current & future server to have some level of reliable security when remoting in.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Buy VPN

×