Connect with us

Hi, what are you looking for?


Network Security

Cisco, F5 Networks Investigate libssh Vulnerability Impact

Cisco and F5 Networks are investigating the possible impact of the recently patched libssh vulnerability on their products, while other vendors have concluded similar investigations.

Cisco and F5 Networks are investigating the possible impact of the recently patched libssh vulnerability on their products, while other vendors have concluded similar investigations.

The bug, discovered by Peter Winter-Smith, security consultant at NCC Group, could allow an attacker to authenticate on a server without credentials. Specifically, the attacker could send the server a message to trick it into believing that authentication has been successful even if the process didn’t even start.

The flaw was reported to libssh developers on June 25 and impacts versions 0.6 and later of the library. Tracked as CVE-2018-10933, the vulnerability was addressed with the release of libssh 0.8.4 and 0.7.6 last week.

There are thousands of servers using libssh to implement the Secure Shell (SSH) remote login protocol (many operated by Verizon Wireless and Sprint PCS), but not all of them might be impacted, Winter-Smith suggested. Only libssh operating in server mode, but not the usual client mode, appears affected.

GitHub, which uses the library, said last week it wasn’t impacted, although it did apply the provided patch. OpenSSH, libssh2, curl, and libcurl aren’t affected either.

Within days after the flaw was made public, vendors have started to investigate the impact on their products, and some even confirmed they are affected.

For the past several days, Cisco has been trying to determine which of the products that use the library are affected. The company has published a list of possibly impacted applications, but has yet to confirm the vulnerability in any of them.

Advertisement. Scroll to continue reading.

F5 Networks too has been looking into its product line, and discovered that BIG-IP application delivery controllers are exposed (only BIG-IP AFM SSH virtual servers that use key-based authentication are vulnerable). Other products are either not impacted or haven’t been yet confirmed to be affected.

Red Hat Enterprise Linux 7 Extras has been confirmed vulnerable, the same as Debian (fixed in version 0.7.3-2+deb9u1), Ubuntu (18.04 LTS, 16.04 LTS, 14.04 LTS, and derivatives), and SUSE Linux Enterprise 12 and 15.

Teamspeak uses libssh, but not in a way that is susceptible to the vulnerability. Alert Logic says it isn’t impacted by the bug and that the Alert Logic appliance is not vulnerable. Netgate’s pfSense isn’t affected, and neither is Centrify DirectControl. Cyber exposure company Tenable has also assessed the weakness and determined that its products are not impacted.

In addition to exploit code for the vulnerability being published online, tools that can be used to identify this vulnerability have been released too.

The “likelihood of exploitation in the wild is low,” the co-founder and director of Hacker House suggests.

Related: Libssh Vulnerability Exposes Servers to Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.