Libssh Security Flaw leaves thousands of servers vulnerable to hijacking. A security flaw in libssh leaves thousands, and potentially more, servers vulnerable to an attack. Libssh is a multiplatform C library which allows users to remotely execute programs, transfer files, manage public keys and use a secure and transparent tunnel.

The security flaw, discovered by Peter Winter-Smith from NCC Group, allows a hacker to bypass the authentication process on the servers and gain access to the system without having to enter a password.

An attacker can do this by sending the SSH server “SSH2_MSG_USERAUTH_SUCCESS” message instead of the “SSH2_MSG_USERAUTH_REQUEST” message that a server usually expects and which libssh uses as a sign that an authentication procedure needs to initiate.

The libssh system will treat this message to mean the authentication has already taken place and allow the attacker access to the server. The flaw (CVE-2018-10933) was released in January 2014 in release 0.6.0.

It’s estimated that the vulnerability currently affects at least 3000 servers, however this is based on a small search and the scale of the problem is not yet known. There were concerns that the popular version control site for developers to work collaboratively on projects, GitHub, was affected but they have released a statement denying this. Github claims the way they use libssh means they are not vulnerable to this exploit.

“We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with the libssh server is not relied upon for pubkey-based auth, which is what we use the library for,”

a GitHub security official said on twitter

While we use libssh, we can confirm that https://t.co/0iKPk21RVu and GitHub Enterprise are unaffected by CVE-2018-10933 due to how we use the library.

— GitHub Security (@GitHubSecurity) October 16, 2018

The security flaw is only on the server side, meaning users who have a libssh based SSH client installed on their computer will be safe from potential attackers looking to exploit this vulnerability.

While there are currently no public exploits available for the vulnerability, they are easy to put together so these are likely to pop up online in the coming days and weeks.

The team at libssh released versions 0.8.4 and 0.7.6 yesterday to handle this bug.

Several vulnerabilities found in RouterOS that Affected MikroTik Routers

Tenable researcher, Jacob Baines, has discovered multiple vulnerabilities in the Mikrotik routers; four separate security flaws that are vulnerable to hacking attacks. Mikrotik made it into the news in September after it was discovered routers had been hijacked using a security flaw on the RouterOS, and attackers we able to spy on users.

RouterOS, Mikrotik’s operating system was found to have around four security flaws. This includes a remote code execution vulnerability (CVE-2018-1156), File upload memory exhaustion flaw (CVE-2018-1157), recursive JSON parsing stack exhaustion (CVE-2018-1158), and www memory corruption (CVE-2018-1159).

While these are separate vulnerabilities, they all require legitimate user credentials before being able to exploit. These vulnerabilities are particularly dangerous, allowing an attacker to gain full control of the system, by remote attacks.

This security vulnerability has been exploited in the past, memorably the hacking of 7500 routers for intercepting user’s traffic and the cryptojacking campaign in which routers were exploited for cryptocurrency mining.

According the Tenable the multiple vulnerabilities affected RouterOS versions 6.42.6 and 6.40.8. Tanable contacted MikroTik in May 2018 to inform them about the flaws, after which Mikrotik released patches to fix the issue. However, not everyone is vigilant with patching their router when these flaws become known, and Jacob Baines has estimated that around 200,000 routers across the world may still be open to this exploit.

We second Tenable’s statement in encouraging users to update their system to the latest patch at the earliest possible time to help protect against these security vulnerabilities.

Chinese Spying Chips Found Hidden on US companies’ servers. Business and markets news company Bloomberg reported today that a very small surveillance chip, similar in size to a grain of rice, has been found hidden in servers used by US companies. These servers are being used by nearly 30 American companies, including big names such as Apple and Amazon.

The servers are designed in the US by an American company called Super Micro, and do not include the chip in their designs. It is thought the chip must have been added in China, during the manufacturing process for the servers. The chip is an example of a “hardware hack” where hardware is modified to perform functions that wasn’t originally intended in the design. It is suspected the purpose of the chip is to spy on American companies and their users.

The lengthy publication by Bloomberg reports that Apple and Amazon were among those companies affected, but both companies refute the claim. An Apple spokesperson told Bloomberg that they had no history of finding malicious chips or hardware manipulations in any of its servers. Apple no longer used Super Micro servers after ending their contract with them in 2016.

Amazon also disputes the claims about their servers containing malicious chips and says they have not worked with the FBI to investigate malicious hardware within the company. Super Micro join Apple and Amazon in denying the claims about its servers.

In response to the allegations, China’s Ministry of Foreign Affairs released a statement saying “China is a resolute defender of cybersecurity. It advocates for the international community to work together on tackling cybersecurity threats through dialogue on the basis of mutual respect, equality and mutual benefit. Supply chain safety in cyberspace is an issue of common concern, and China is also a victim. China, Russia, and other member states of the Shanghai Cooperation Organization proposed an “International code of conduct for information security” to the United Nations as early as 2011. It included a pledge to ensure the supply chain security of information and communications technology products and services, in order to prevent other states from using their advantages in resources and technologies to undermine the interest of other countries. We hope parties make less gratuitous accusations and suspicions but conduct more constructive talk and collaboration so that we can work together in building a peaceful, safe, open, cooperative and orderly cyberspace.

[stackCommerce layout=”2″ count=”5″ sort=”best_sellers”][/stackCommerce]