A vulnerability was found in libssh’s server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access. (CVE-2018-10933)
Impact
There is no impact. F5 products are not vulnerable to CVE-2018-10933.
Important:
- There are security scanners that will report the BIG-IP system as vulnerable; this is due to “banner grabbing.” This is a false positive.
- There are log messages, which appear only in the sshplugin debug log, that indicate a shell has been spawned. These messages are incorrect.
- There is no security exposure of SSH virtual server pool members made possible by this issue.