CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
95.7%
According to its banner version, the remote libssh based server is vulnerable to an authentication bypass. An attacker can bypass authentication by presenting a SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST method that normally would initiate authentication.
Note that Nessus did not actually test for the flaw but instead has relied on the version in the libssh banner so this may be a false positive.
#TRUSTED 1c4a7e45d3f234a30f81cd7683f404b11055deb8a53529d767f4bd886ce1d5b9af76a1a57b4f1e65160cc909b83ab00f7544831d60dd985831351690257fe1093ef97db6baaadbeba93d9dda882e7f68fa0fe9d3c1ef7923d4eac0689362a56829246f5abb43f12e752dc703ce064903c3201949e7f640bd058431cace13130e05d4df7ce936b15a18bda9e3707e5fa44370ed05e36f43c746ea126aeb8f73e160b5a09966ce7a7bbdc2971b1c57fce74c2f8bc6144662066fabb7fd195febb28b95f4197cfd3007eeba3e62c5c0ce883f2951144b4f18c355af8871e651407949ed4eedbeee5b34c08f7e80995e292ac98c9ce7c2330f7a234a21f737682e6746fe007e6594826229a247b5aa31363317f975cf4e165d9b0dfb8f3f6ad5e389693320438ca265f5f88d3d2bc1c801be2ca714325018d80f36ed7f46ff4d0fe2ce2a758a8a11084ee10ae9553cba04cf0c1370f852b628456fa6ca8639d13247b8c3c6b4655ecfc30f689175c17f01d8af494977b05c6faeef075748f18544a3ffa17dbbd27ba650d34e3ed11b2c3615ee1d07f0762d116c45084d41f850313bdcc4d6c7f9cb6944a3eaf7e054fe1bc959439c7d50eec1045201f01f636351c53cd864ffceab43326ef257d0e1c0d1d3d737fc0a4f630c241d15735f1b76edb2d390d474a655cdb1bd0b1e973b326ffaef3e782aa5b34678f066a3d1837fffd6
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if(description)
{
script_id(118155);
script_version("1.16");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/15");
script_cve_id("CVE-2018-10933");
script_xref(name:"IAVA", value:"2018-A-0347-S");
script_name(english:"libssh 0.6.x / 0.7.x < 0.7.6 / 0.8.x < 0.8.4 Authentication Bypass (Remote Version Check)");
script_set_attribute(attribute:"synopsis", value:
"The remote server is vulnerable to an authentication bypass." );
script_set_attribute(attribute:"description", value:
"According to its banner version, the remote libssh based server is
vulnerable to an authentication bypass. An attacker can bypass
authentication by presenting a SSH2_MSG_USERAUTH_SUCCESS message in
place of the SSH2_MSG_USERAUTH_REQUEST method that normally would
initiate authentication.
Note that Nessus did not actually test for the flaw but instead has
relied on the version in the libssh banner so this may be a false
positive.");
#https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
script_set_attribute(attribute:"see_also", value: "http://www.nessus.org/u?6f6b157e");
script_set_attribute(attribute:"solution", value:
"Upgrade to libssh 0.7.6 / 0.8.4 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-10933");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/17");
script_set_attribute(attribute:"vuln_publication_date", value: "2018/10/16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_summary(english:"Check libssh banner");
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Misc.");
script_dependencies("find_service1.nasl");
script_require_ports("Services/ssh", 22);
script_require_keys("Settings/ParanoidReport");
exit(0);
}
include("global_settings.inc");
include("audit.inc");
include("vcf.inc");
include("ssh_lib.inc");
if (report_paranoia < 2) audit(AUDIT_PARANOID);
app_name = 'libssh server';
port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE);
soc = open_sock_tcp(port);
if(!soc)
audit(AUDIT_SOCK_FAIL, port);
session = new("sshlib::session");
session.set_socket(soc);
session.cur_state.set("SOC_OPENED");
banner= '';
var tmp_chr = '';
# initial connection may be slow on some devices
tmp_chr = session.sshrecv(timeout:30, length:1);
var i = 0;
while(tmp_chr != '' && !isnull(tmp_chr) && tmp_chr =~ '[a-zA-Z0-9._-]' && session.cur_state.val == "SOC_OPENED" && i < 512)
{
banner += tmp_chr;
tmp_chr = session.sshrecv(timeout:5, length:1);
i++;
}
if(!banner)
{
session.close_socket(error:"No remote version received");
audit(AUDIT_NO_BANNER, port);
}
if(banner!~ "^SSH-2.0-libssh[_-]")
audit(AUDIT_NOT_LISTEN, app_name, port);
version = ereg_replace(pattern:"^SSH-2.0-libssh[_-]([0-9.]+).*$", replace:"\1", string:banner);
session.close_socket();
constraints = [{"min_version": "0.6", "fixed_version": "0.7.6"},
{"min_version": "0.8", "fixed_version": "0.8.4"}];
ver_match = vcf::check_version(version:vcf::parse_version(version), constraints: constraints);
if(!isnull(ver_match))
{
report =
'\n Product : ' + app_name +
'\n Version : ' + version +
'\n Fixed version : ' + ver_match["fixed_version"] +
'\n';
security_report_v4(port: port, severity:SECURITY_WARNING, extra:report);
}
else
{
audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version);
}
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
95.7%