An open source library, libssh, announced a fixed vulnerability today. I’ll let them explain:
libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authenticate without any credentials.
Good thing we use openssh in my company! I don’t have to monitor a bunch of software systems for security fixes and deployment–
$ nc github-enterprise.server 22 SSH-2.0-libssh_0.7.0
Shit.