Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
libssh 0.8.4 and 0.7.6 security and bugfix release
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
angryMethane
n00b
n00b


Joined: 07 Oct 2018
Posts: 5

PostPosted: Wed Oct 17, 2018 2:02 am    Post subject: libssh 0.8.4 and 0.7.6 security and bugfix release Reply with quote

Code:

libssh versions 0.6 and above have an authentication bypass vulnerability in
the server code.  By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message
in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect
to initiate authentication, the attacker could successfully authentciate
without any credentials.

Read more at: https://www.libssh.org/security/advisories/CVE-2018-10933.txt

When Gentoo upgrade libssh? :roll:
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5290

PostPosted: Wed Oct 17, 2018 2:33 am    Post subject: Reply with quote

Are you using an in-tree package that uses the server parts of libssh? Which one?
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 6893
Location: almost Mile High in the USA

PostPosted: Wed Oct 17, 2018 2:35 am    Post subject: Reply with quote

Ouch.

So what apps use libssh for server?

Ffmpeg if you have USE=ssh will use libssh, but I'm not sure if it uses server mode...

Luckily I don't have libssh installed on outward facing servers... I think...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5290

PostPosted: Wed Oct 17, 2018 2:57 am    Post subject: Reply with quote

eccerr0r wrote:
Ouch.

So what apps use libssh for server?

That's my point; nothing does.

Taking the results of eix -c --depend 'libssh\b', I see:
  • libvirt, kodi, ffmpeg: these provide server functions but completely unrelated to ssh
  • A bunch of network security scanning tools
  • Client software, mostly multimedia things, which use it to access files like a network share

Overlays are mostly the same story. In summary: this is needless hysteria.
Back to top
View user's profile Send private message
angryMethane
n00b
n00b


Joined: 07 Oct 2018
Posts: 5

PostPosted: Wed Oct 17, 2018 4:58 am    Post subject: Reply with quote

Ant P. wrote:
Are you using an in-tree package that uses the server parts of libssh? Which one?


libvirt and qemu.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5290

PostPosted: Wed Oct 17, 2018 6:41 am    Post subject: Reply with quote

What port are you running their SSH servers on? Can't be 22, because openssh is already using that.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 6893
Location: almost Mile High in the USA

PostPosted: Wed Oct 17, 2018 3:12 pm    Post subject: Reply with quote

Yeah I think the hype is overblown, though it is a security hole nonetheless.

I was worried about two major ssh servers that actually run as root:
- OpenSSH, but this is standalone and does not use libssh
- Dropbear, and once again it has its own ssh implementation.

All other applications may use libssh but for client side connectivity and thus do not have root access. The reason why it still may be a problem is if these applications implement an internal server, which seems kind of pointless.

So, while it is a bug, this is not as big a story as it seems, at least for Gentoo. Can't say the same for other OS.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
angryMethane
n00b
n00b


Joined: 07 Oct 2018
Posts: 5

PostPosted: Thu Oct 18, 2018 2:01 pm    Post subject: Reply with quote

eccerr0r wrote:
Yeah I think the hype is overblown, though it is a security hole nonetheless.

I was worried about two major ssh servers that actually run as root:
- OpenSSH, but this is standalone and does not use libssh
- Dropbear, and once again it has its own ssh implementation.

All other applications may use libssh but for client side connectivity and thus do not have root access. The reason why it still may be a problem is if these applications implement an internal server, which seems kind of pointless.

So, while it is a bug, this is not as big a story as it seems, at least for Gentoo. Can't say the same for other OS.


In my opinion, the right attitude towards vulnerable softwares is to patch them as soon as possible no matter what damage it would cause.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 6893
Location: almost Mile High in the USA

PostPosted: Thu Oct 18, 2018 2:18 pm    Post subject: Reply with quote

angryMethane wrote:
In my opinion, the right attitude towards vulnerable softwares is to patch them as soon as possible no matter what damage it would cause.

It's a good attitude if you don't understand the bug, but it's also worth to step back and do an actual assessment of the issue at hand, and not make hasty moves that may cause unneeded panic.

Before I forget, thank you for posting about the bug, I had not seen it until you wrote about it. I really appreciate it.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
asturm
Developer
Developer


Joined: 05 Apr 2007
Posts: 6584
Location: Austria

PostPosted: Sat Oct 20, 2018 12:07 pm    Post subject: Re: libssh 0.8.4 and 0.7.6 security and bugfix release Reply with quote

angryMethane wrote:
Read more at: https://www.libssh.org/security/advisories/CVE-2018-10933.txt

When Gentoo upgrade libssh? :roll:

^ Posted: Wed Oct 17, 2018

Code:
commit b9446a58ef8701d59c8d267bfcd156a68de3f39b
Date:   Tue Oct 16 17:46:52 2018 +0200
net-libs/libssh: 0.8.4 version bump for CVE-2018-10933

commit f683743f3d5db4b12427583d9a4d215cd502885f
Date:   Wed Oct 17 13:59:01 2018 +0200
net-libs/libssh: x86 stable (bug #668788)

commit b26ddba94beb0c70f08ade881b97be08cb7bd468
Date:   Wed Oct 17 18:09:17 2018 +0200
net-libs/libssh: amd64 stable wrt bug #668788

_________________
backend.cpp:92:2: warning: #warning TODO - this error message is about as useful as a cooling unit in the arctic
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum