libssh vulnerability

An open source library, libssh, announced a fixed vulnerability today. I’ll let them explain:

libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authenticate without any credentials.

Good thing we use openssh in my company! I don’t have to monitor a bunch of software systems for security fixes and deployment–

$ nc github-enterprise.server 22
SSH-2.0-libssh_0.7.0

Shit.

Leave a Reply

Your email address will not be published.