Serious SSH bug lets crooks log in just by asking nicely…

Big, bad, scary bug of the moment is CVE-2018-10933.

This is a serious flaw – in fact, it’s a very serious flaw – in a free software library called libssh.

The flaw is more than just serious – it’s scary, because it theoretically allows anyone to log into a server protected with libssh without entering a password at all.

It’s scary because ssh, or SSH as it is often written, is probably the most widely deployed remote access protocol in the world.

Almost all Unix and Linux servers use SSH for remote administration, and there are an awful lot of awfully large server farms out there, and so there’s an awful lot of SSH about.

SSH stands for secure shell, where the term shell is Unix-speak for a command prompt, the place where most Unix-style system administration functions are performed, whether manually by a logged-in human, or automatically via a logged-in script.

But SSH is used for much more than just shell logins because it creates what’s often called a secure tunnel – a general-purpose encrypted data channel between two computers on the internet.

Notable uses for SSH include secure file transfer between servers, and secure data synchronisation between data centres.

Security holes in SSH are therefore the stuff of nightmares for many sysadmins out there, and this one has certainly got the security newswires buzzing.

The good news

Here’s the good news.

By far the most commonly used SSH version out there is an open source product called OpenSSH, created and maintained by the security-conscious folks at OpenBSD.

OpenSSH is a completely separate implementation to libssh – they don’t include or rely on each other’s code.

Other well-known open source implementations of SSH include Dropbear (a stripped down version commonly used on routers and other IoT devices), libssh2 (it’s a different product to libssh, not merely a newer version) and PuTTY (widely used on Windows).

None of these projects have this bug either, so most of us can stand down from red alert.

The only really big, mainstream project we know of that uses libssh as its SSH server is Microsoft’s GitHub source code repository.

And the good news there is that the GitHub project [a] doesn’t actually call the buggy code in the libssh product and [b] has installed the patch anyway, just to set everyone’s minds at rest.

Another very widely used software tool that supports libssh is cURL, a command-line web data transfer tool that is shipped on every Mac, included in almost every Linux distro, and widely used for automating uploads and downloads on IoT devices.

But cURL doesn’t include SSH by default; isn’t usually used on servers to process incoming connections; and anyway cURL uses libssh2 as its first choice if you need SSH support.

The bad news

The bad news is that any server that is listening out for incoming SSH connections using libssh is at considerable risk of unauthorised access.

The bug is comically bad, and in very simple terms it goes like this.

When logging in, the client is supposed to chat to the server along these lines…


   Client and server: [...a careful cryptographic dance is done by 
                          both sides to verify login credentials...]


…and then both sides can begin to send data to and fro.

But the bug means a client can just talk to a libssh server like this…


…and then both sides can begin to send data to and fro.

In other words, if the client tells the server that authentication is complete, rather than the other way around, the server happily believes it.

No password requested or required.

What to do?

  • If you have any software product that includes or uses libssh, download and install the latest libssh version at once.
  • If you use a product that has libssh built in, rather than supplied as a shared library or DLL, you will need an updated version of the app itself.
  • If you aren’t sure, consult the product’s documentation or online community.

For more information, watch our video discussing the issue and what to do about it:

(Watch directly on YouTube if the video won’t play here.)