Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

[UPDATE: Cisco Statement] Passwords Please - SSH vulnerability allows hackers to access any device by asking nicely

rcmaehl
 Share

Update:
Cisco Statement
 

Quote

Affected Products
Cisco is investigating its product line to determine which products may be affected by this vulnerability.
 

Products Under Investigation
The following products are under active investigation to determine whether they are affected by the vulnerability that is described in this advisory:

  • Collaboration and Social Media
    • Cisco Webex Meetings Server
  • Endpoint Clients and Client Software
    • Cisco Jabber Guest
  • Network Application, Service, and Acceleration
    • Cisco Adaptive Security Appliance (ASA) Software
    • Cisco Cloud Services Platform 2100
  • Network and Content Security Devices
    • Cisco ASA Next-Generation Firewall Services
    • Cisco Email Security Appliance (ESA)
    • Cisco FireSIGHT System
    • Cisco Identity Services Engine (ISE)
  • Network Management and Provisioning
    • Cisco Elastic Services Controller (ESC)
    • Cisco Enterprise Service Automation
    • Cisco NetFlow Generation Appliance
    • Cisco Network Analysis Module
    • Cisco Policy Suite
    • Cisco Prime Access Registrar
    • Cisco Prime Collaboration Provisioning
    • Cisco Prime Infrastructure
    • Cisco Prime Network Registrar Virtual Appliance
    • Cisco Prime Network Registrar
    • Cisco Prime Performance Manager
    • Cisco WAN Automation Engine (WAE)
  • Routing and Switching - Enterprise and Service Provider
    • Cisco Application Policy Infrastructure Controller (APIC)
    • Cisco IOS XR Software for Cisco Network Convergence System 6000 Series Routers
    • Cisco IOS XR Software
    • Cisco Nexus 9000 Series Switches - Standalone, NX-OS mode
    • Cisco Nexus 9000 Series Switches
  • Unified Computing
    • Cisco UCS Director
  • Voice and Unified Communications Devices
    • Cisco IP Interoperability and Collaboration System (IPICS)
    • Cisco Management Heartbeat Server
    • Cisco Unified Communications Manager Session Management Edition
    • Cisco Unified Communications Manager
    • Cisco Unified Contact Center Express
  • Video, Streaming, TelePresence, and Transcoding Devices
    • Cisco Cloud Object Storage
    • Cisco DCM Series D990x Digital Content Manager
    • Cisco Video Distribution Suite for Internet Streaming (VDS-IS/CDS-IS)
    • Cisco Video Surveillance 4300E and 4500E High-Definition IP Cameras
    • Cisco Video Surveillance Media Server
  • Wireless
    • Cisco Wireless LAN Controller
    • Cisco Cloud Hosted Services
    • Cisco Smart Software Manager Satellite
    • Cisco Virtual HetNet

Vulnerable Products
Cisco is investigating its product line to determine which products may be affected by this vulnerability. This section will be updated as information is available.

Products Confirmed Not Vulnerable
Cisco is investigating its product line to determine which products may be affected by this vulnerability. This section will be updated as information is available.


Sources:
libssh

Sophos

 

TL;DR:

By initializing a connection using SSH2_MSG_USERAUTH_SUCCESS instead of SSH2_MSG_USERAUTH_REQUEST, an attacker can bypass SSH authentication.

 

Media:

image.png.8412a249d63c0c40ab4d4f99223eb31f.png

 

Quotes/Excerpts:

Quote

CVE-2018-10933. A very serious flaw. It theoretically allows anyone to log into a server protected with libssh without entering a password. SSH is probably the most widely deployed remote access protocol in the world. Security holes in SSH are...the stuff of nightmares for many sysadmins. Here’s the good news. The most commonly used SSH version...is...OpenSSH. A completely separate implementation to libssh. Other...implementations... Dropbear, libssh2, and PuTTY...[don't] have this bug either. The bad news is that any server that is listening out for incoming SSH connections using libssh is at considerable risk of unauthorised access. The bug is comically bad, and in very simple terms it goes like this. When logging in, the client is supposed to chat to the server along these lines…
 

   Client → Server: HELLO-I-WOULD-LIKE-TO-START-AUTHENTICATING

   Client and server: [...a careful cryptographic dance is done by 
                          both sides to verify login credentials...]

   Server → Client: WELCOME-YOU-HAVE-PASSED-THE-TEST

But the bug means a client can just talk to a libssh server like this…

   Client → Server: WELCOME-YOU-HAVE-PASSED-THE-TEST

No password requested or required.

 

My Thoughts:

While libssh isn't the most common SSH library, it is among the top. How comically bad this bug is means libssh should probably have an audit of it's security practices. Let's hope not too many IoT devices use this library or we may have another Mirai botnet on our hands.

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

HAHAHAHAHAHA

 

 

oh wait im running libssh oh fuck 

muh specs 

Gaming and HTPC (reparations)- ASUS 1080, MSI X99A SLI Plus, 5820k- 4.5GHz @ 1.25v, asetek based 360mm AIO, RM 1000x, 16GB memory, 750D with front USB 2.0 replaced with 3.0  ports, 2 250GB 850 EVOs in Raid 0 (why not, only has games on it), some hard drives

Screens- Acer preditor XB241H (1080p, 144Hz Gsync), LG 1080p ultrawide, (all mounted) directly wired to TV in other room

Stuff- k70 with reds, steel series rival, g13, full desk covering mouse mat

All parts black

Workstation(desk)- 3770k, 970 reference, 16GB of some crucial memory, a motherboard of some kind I don't remember, Micomsoft SC-512N1-L/DVI, CM Storm Trooper (It's got a handle, can you handle that?), 240mm Asetek based AIO, Crucial M550 256GB (upgrade soon), some hard drives, disc drives, and hot swap bays

Screens- 3  ASUS VN248H-P IPS 1080p screens mounted on a stand, some old tv on the wall above it. 

Stuff- Epicgear defiant (solderless swappable switches), g600, moutned mic and other stuff. 

Laptop docking area- 2 1440p korean monitors mounted, one AHVA matte, one samsung PLS gloss (very annoying, yes). Trashy Razer blackwidow chroma...I mean like the J key doesn't click anymore. I got a model M i use on it to, but its time for a new keyboard. Some edgy Utechsmart mouse similar to g600. Hooked to laptop dock for both of my dell precision laptops. (not only docking area)

Shelf- i7-2600 non-k (has vt-d), 380t, some ASUS sandy itx board, intel quad nic. Currently hosts shared files, setting up as pfsense box in VM. Also acts as spare gaming PC with a 580 or whatever someone brings. Hooked into laptop dock area via usb switch

Link to comment
Share on other sites

Link to post
Share on other sites

Oh shit

~New~  BoomBerryPi project !  ~New~


new build log : http://linustechtips.com/main/topic/533392-build-log-the-scrap-simulator-x/?p=7078757 (5 screen flight sim for 620$ CAD)LTT Web Challenge is back ! go here  :  http://linustechtips.com/main/topic/448184-ltt-web-challenge-3-v21/#entry601004

Link to comment
Share on other sites

Link to post
Share on other sites

I honestly wonder if this is still an issue with password authentication disabled?  Whenever I install a new system, the very first thing I do with SSH is disable password auth.  Don't have a key?  You ain't gettin' in.  No ifs, no ands, no buts.  With that disabled, I wonder if the SSH server is still susceptible?

 

ETA: and yes, I know I'm not using libssh.  More a curiosity.

Editing Rig: Mac Pro 7,1

System Specs: 3.2GHz 16-core Xeon | 96GB ECC DDR4 | AMD Radeon Pro W6800X Duo | Lots of SSD and NVMe storage |

Audio: Universal Audio Apollo Thunderbolt-3 Interface |

Displays: 2 x BenQ EW3280U displays |

 

Gaming Rig: PC

System Specs:  Asus Rampage VI Extreme board | Intel Core i9 10980XE | 64GB Corsair Vengeance LPX (OC'd to 4GHz) | NVidia 3090 FE card (OC'd) | Corsair AX1500i power supply | CaseLabs Magnum THW10 case (RIP CaseLabs ) |

Audio:  Sound Blaster AE-9 card | Mackie DL32R Mixer | Sennheiser HDV820 amp | Sennheiser HD820 phones | Rode Broadcaster mic |

Display: Asus PG32UQX 4K/144Hz displayBenQ EW3280U display

Cooling:  2 x EK 140 Revo D5 Pump/Res | EK Asus R6E monoblock | EK 3090FE waterblock | AlphaCool 480mm x 60mm rad | AlphaCool 560mm x 60mm rad | 13 x Noctua 120mm fans | 8 x Noctua 140mm fans | 2 x Aquaero 6XT fan controllers |

Link to comment
Share on other sites

Link to post
Share on other sites

Oh boy. Now what version are many routers and switches using... We may be seeing a lot of emergency iOS patches for them lol

Use this guide to fix text problems in your postGo here and here for all your power supply needs

 

New Build Currently Under Construction! See here!!!! -----> 

 

Spoiler

Deathwatch:[CPU I7 4790K @ 4.5GHz][RAM TEAM VULCAN 16 GB 1600][MB ASRock Z97 Anniversary][GPU XFX Radeon RX 480 8GB][STORAGE 250GB SAMSUNG EVO SSD Samsung 2TB HDD 2TB WD External Drive][COOLER Cooler Master Hyper 212 Evo][PSU Cooler Master 650M][Case Thermaltake Core V31]

Spoiler

Cupid:[CPU Core 2 Duo E8600 3.33GHz][RAM 3 GB DDR2][750GB Samsung 2.5" HDD/HDD Seagate 80GB SATA/Samsung 80GB IDE/WD 325GB IDE][MB Acer M1641][CASE Antec][[PSU Altec 425 Watt][GPU Radeon HD 4890 1GB][TP-Link 54MBps Wireless Card]

Spoiler

Carlile: [CPU 2x Pentium 3 1.4GHz][MB ASUS TR-DLS][RAM 2x 512MB DDR ECC Registered][GPU Nvidia TNT2 Pro][PSU Enermax][HDD 1 IDE 160GB, 4 SCSI 70GB][RAID CARD Dell Perc 3]

Spoiler

Zeonnight [CPU AMD Athlon x2 4400][GPU Sapphire Radeon 4650 1GB][RAM 2GB DDR2]

Spoiler

Server [CPU 2x Xeon L5630][PSU Dell Poweredge 850w][HDD 1 SATA 160GB, 3 SAS 146GB][RAID CARD Dell Perc 6i]

Spoiler

Kero [CPU Pentium 1 133Mhz] [GPU Cirrus Logic LCD 1MB Graphics Controller] [Ram 48MB ][HDD 1.4GB Hitachi IDE]

Spoiler

Mining Rig: [CPU Athlon 64 X2 4400+][GPUS 9 RX 560s, 2 RX 570][HDD 160GB something][RAM 8GBs DDR3][PSUs 1 Thermaltake 700w, 2 Delta 900w 120v Server modded]

RAINBOWS!!!

 

 QUOTE ME SO I CAN SEE YOUR REPLYS!!!!

Link to comment
Share on other sites

Link to post
Share on other sites

Even if you're using public/private key authentication? I wouldn't be surprised if password only is easily bypassed but I'd expect keys to be trickier.

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, Windows7ge said:

Even if you're using public/private key authentication? I wouldn't be surprised if password only is easily bypassed but I'd expect keys to be trickier.

Technical details haven't been released but it's safe to assume if Key Auth uses the same function call then it'd be at risk. I'm going to have to read up on SSH auth processes

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

Eh, for us home-users -- even power-users -- this luckily doesn't really mean much.

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, rcmaehl said:

Technical details haven't been released but it's safe to assume if Key Auth uses the same function call then it'd be at risk. I'm going to have to read up on SSH auth processes

How might we check what library we're using? I'm not that Linux savvy.

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, WereCatf said:

Eh, for us home-users -- even power-users -- this luckily doesn't really mean much.

Until you realize how many devices have SSH open by default, mainly routers which are the main concern.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, Windows7ge said:

How might we check what library we're using? I'm not that Linux savvy.

Most things, like the article mentions, too, don't use libssh, they use OpenSSH. Also, Ubuntu, at least, has already released a patch for this, and most likely all other major distros have or will in the next couple of days, too.

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, Windows7ge said:

How might we check what library we're using? I'm not that Linux savvy.

just do a

 

ssh -v localhost

 

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, Windows7ge said:

How might we check what library we're using? I'm not that Linux savvy.

find /lib* /usr/lib* -name '*libssh*'

Link to comment
Share on other sites

Link to post
Share on other sites

4 minutes ago, mynameisjuan said:

Until you realize how many devices have SSH open by default, mainly routers which are the main concern.

They generally use dropbear or OpenSSH, not libssh.

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, WereCatf said:

They generally use dropbear or wolfssl, not libssh.

Most router OSes are based on BSD which uses openssh. Yes they exist and yes this is a legitimate issue until more details are released. 

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, mynameisjuan said:

Most router OSes are based on BSD which uses openssh. Yes they exist and yes this is a legitimate issue.

OpenSSH is not vulnerable so no, this is mostly a non-issue for home-users.

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, Helibert said:

just do a

 


ssh -v localhost

 

I will have to try that when I get home. I actually recently had to create new keys on my server and I only distributed the new private key to my desktop. Still have to do it with every other machine I use like the laptop I'm on right now.

 

5 minutes ago, mynameisjuan said:

find /lib* /usr/lib* -name '*libssh*'

Hello again, but that sounds like it'd just tell me if I have it. Not if I'm actually using it.

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, WereCatf said:

OpenSSH is not vulnerable so no, this is mostly a non-issue for home-users.

Just did a quick google. I didnt realize openssh does not use libssh as a dependency and they are separate. Interesting. Well that sure shoots down the amount of equipment affected. 

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, Windows7ge said:

Hello again, but that sounds like it'd just tell me if I have it. Not if I'm actually using it.

If you want to see if its running I usually use 

ps -o pid,sess,cmd afx | egrep "ssh"

 

It not only shows whats running but what is using it. 

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, mynameisjuan said:

If you want to see if its running I usually use 

ps -o pid,sess,cmd afx | egrep "ssh"

 

It not only shows whats running but what is using it. 

I will try both then and see what shows up.

Our router is already a pos (to be replaced soon) and I don't trust it, but I'd like my current & future server to have some level of reliable security when remoting in.

Link to comment
Share on other sites

Link to post
Share on other sites

These are the lines I always add to my /etc/ssh/ssd_config file:

 

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no

 

You can't come in as root, and if you don't have a key, you're not getting in.
 

Editing Rig: Mac Pro 7,1

System Specs: 3.2GHz 16-core Xeon | 96GB ECC DDR4 | AMD Radeon Pro W6800X Duo | Lots of SSD and NVMe storage |

Audio: Universal Audio Apollo Thunderbolt-3 Interface |

Displays: 2 x BenQ EW3280U displays |

 

Gaming Rig: PC

System Specs:  Asus Rampage VI Extreme board | Intel Core i9 10980XE | 64GB Corsair Vengeance LPX (OC'd to 4GHz) | NVidia 3090 FE card (OC'd) | Corsair AX1500i power supply | CaseLabs Magnum THW10 case (RIP CaseLabs ) |

Audio:  Sound Blaster AE-9 card | Mackie DL32R Mixer | Sennheiser HDV820 amp | Sennheiser HD820 phones | Rode Broadcaster mic |

Display: Asus PG32UQX 4K/144Hz displayBenQ EW3280U display

Cooling:  2 x EK 140 Revo D5 Pump/Res | EK Asus R6E monoblock | EK 3090FE waterblock | AlphaCool 480mm x 60mm rad | AlphaCool 560mm x 60mm rad | 13 x Noctua 120mm fans | 8 x Noctua 140mm fans | 2 x Aquaero 6XT fan controllers |

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, jasonvp said:

These are the lines I always add to my /etc/ssh/ssd_config file:

 


PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no

 

You can't come in as root, and if you don't have a key, you're not getting in.
 

Irrelevant to the discussion as those are OpenSSH-configuration options, and those options wouldn't protect you anyways, if OpenSSH was vulnerable, because the bug bypasses all that.

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to comment
Share on other sites

Link to post
Share on other sites

26 minutes ago, WereCatf said:

Irrelevant to the discussion as those are OpenSSH-configuration options, and those options wouldn't protect you anyways, if OpenSSH was vulnerable, because the bug bypasses all that.

Yes, I know it's OpenSSH (been doing this for a while, thanks).  I was just giving an example.  And no, we're not certain that the "bug bypasses all of that."

Editing Rig: Mac Pro 7,1

System Specs: 3.2GHz 16-core Xeon | 96GB ECC DDR4 | AMD Radeon Pro W6800X Duo | Lots of SSD and NVMe storage |

Audio: Universal Audio Apollo Thunderbolt-3 Interface |

Displays: 2 x BenQ EW3280U displays |

 

Gaming Rig: PC

System Specs:  Asus Rampage VI Extreme board | Intel Core i9 10980XE | 64GB Corsair Vengeance LPX (OC'd to 4GHz) | NVidia 3090 FE card (OC'd) | Corsair AX1500i power supply | CaseLabs Magnum THW10 case (RIP CaseLabs ) |

Audio:  Sound Blaster AE-9 card | Mackie DL32R Mixer | Sennheiser HDV820 amp | Sennheiser HD820 phones | Rode Broadcaster mic |

Display: Asus PG32UQX 4K/144Hz displayBenQ EW3280U display

Cooling:  2 x EK 140 Revo D5 Pump/Res | EK Asus R6E monoblock | EK 3090FE waterblock | AlphaCool 480mm x 60mm rad | AlphaCool 560mm x 60mm rad | 13 x Noctua 120mm fans | 8 x Noctua 140mm fans | 2 x Aquaero 6XT fan controllers |

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×