Author: Jonathan Bennett / Source: Hackaday
Another day, another CVE (Common Vulnerabilities and Exposures). Getting a CVE number assigned to a vulnerability is a stamp of authenticity that you have a real problem on your hands. CVE-2018-10933 is a worst case scenario for libssh. With a single response, an attacker can completely bypass authentication, giving full access to a system.
Before you panic and yank the power cord on your server, know that libssh is not part of OpenSSH. Your Linux box almost certainly uses OpenSSH as the SSH daemon, and that daemon is not vulnerable to this particular problem. Libssh does show up in a few important places, the most notable is probably Github and
Libssh has released a new version that fixes the problem. Stick around for the details after the break.
The libssh project shares code between their client and server implementations, as one would expect. There are different callbacks to handle packet…
The post LibSSH Vuln: You Don’t Need to See my Authentication appeared first on FeedBox.