
Libssh 0.8.4 and 0.7.6 Authentication Bypass Vulnerability Fix (CVE-2018-10933) - mdip
https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
======
garrettr_
As pronoiac has already said, libssh != OpenSSH, which is far more widely
used. According to the footer on
[https://www.libssh.org/](https://www.libssh.org/), projects using LibSSH
include KDE's sftp implementation, X2Go, and... GitHub: "GitHub uses libssh in
production to power its git SSH infrastructure, serving millions of requests
daily." If the footer text is still accurate, that's probably the most
concerning potential issue with this vuln, although it's also possible GitHub
has mitigated this risk in other ways. It would be nice to see GitHub publish
something about this, one way or the other.

Update: they recently tweeted confirming they were not at risk,
[https://twitter.com/GitHubSecurity/status/105231733337972326...](https://twitter.com/GitHubSecurity/status/1052317333379723265)

------
pronoiac
This isn't to be confused with openssh. It's a separate package in Ubuntu [1]
and only four formulae in homebrew [2] use it.

[1]
[https://packages.ubuntu.com/trusty/libssh-4](https://packages.ubuntu.com/trusty/libssh-4)
\- I'm surprised I don't see reverse dependencies listed here.

[2] [http://brewformulas.org/Libssh](http://brewformulas.org/Libssh)

------
itdaniher
Fortunately, seems as if this is not as easy to exploit as it sounds. Patched
dropbear to send SUCCESS instead of REQUEST and my servers throw
`dispatch_protocol_error: type 52 seq 5 [preauth]`

------
tanderson92
I'll just note here that it is possible to disable password login to your
account on a machine to which you do not have root access:

Use a combination of the "ssh_command" option in a authorized_keys to launch a
bash session with a chosen environment variable set, and you set up your
bashrc so that the lack of existence of this variable in the environment
results in an immediate logout.

