F5: Don't panic but folks can slip past vulnerable firewall servers, thanks to libssh's credentials-optional 'security'

www.theregister.co.uk | 10/19/2018 | Staff
shankay (Posted by) Level 3
Click For Photo: https://regmedia.co.uk/2018/03/02/shutterstock_data_thief.jpg










Updated Network box maker F5 has shipped some firewall gear that is potentially vulnerable to the libssh authentication-bypass bug.

That means anyone who can reach the at-risk systems over the network or internet can, depending on the configuration, tunnel through to backend infrastructure simply by asking nicely.

Vulnerability - Attacker - Server - Gain - Access

The vulnerability, in general, allows an attacker to trick a server into letting her gain access without any valid credentials. When the server expects a SSH2_MSG_USERAUTH_REQUEST message, the hacker sends SSH2_MSG_USERAUTH_SUCCESS, the server swallows that, and it lets the miscreant log in, with no further questions asked.

There was much guffawing in the industry over this programming cockup, because it looks so simple on the face of it. However, as Amazon Web Service's Colm MacCárthaigh noted on Twitter: “State machines are hard!”

Equipment - Makers - Libssh - Firmware - Software

Equipment makers that use libssh in their firmware and software needed to review their products to work out which are using the vulnerable library, and to ship patches for gear as necessary. This flaw does not affect OpenSSH, so if you're running classic sshd on your equipment, you're not affected.

F5 has run its eyes over its portfolio, and in announcing the conclusion of its probe, here, said only a handful of boxes in its Big-IP Advanced Firewall Manager range are vulnerable.

Big-IP - AFM - X - X - X

Big-IP AFM, branches 12.x, 13.x, and 14.x, all have a vulnerable libssh-powered SSH proxy, Thursday advisory states, and are thus at risk of malicious access if they rely on key authentication. In other words, hackers can potentially slip through the vulnerable SSH proxy, and reach backend systems.

"There is no control plane exposure to this issue. It is only exposed when using the SSH proxy functionality of BIG-IP AFM data plane on a virtual server," the biz cautioned. "A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could...
(Excerpt) Read more at: www.theregister.co.uk
Wake Up To Breaking News!
Sorry Mr. Franklin, we couldn't keep it.
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!