CirrocumulusCVE-2018-10933 - libssh's server-side state machine
Note:
This is not a question but mainly to share information.Full Disclosure:
I am providing this information as a F5 customer, I am not an F5 employee and neither I speak on behalf of F5.There is new CVE that looks be generating a lot of noise, as it has the potential for big impact and looks to be very straightforward to exploit.
https://www.libssh.org/security/advisories/CVE-2018-10933.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10933 CVE-2018-10933 “A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.” At the time I am writing this, there is no public information from F5 in askF5, neither I could find information in DevCentral. Anyway, this is very new, and I am pretty sure that F5 is already working in an askf5 solution for that, as this is a critical CVE. You can open a F5 support ticket if you want to get an official message from F5, like you could do for any other CVE.As far as I know, F5 management access uses OpenSSH, and the versions are listed in this solution:
https://support.f5.com/csp/article/K65097545Still, early stages, as everyone is analyzing the impact.
https://nvd.nist.gov/vuln/detail/CVE-2018-10933 “This vulnerability is currently awaiting analysis.”All public information so far indicates that OpenSSH is not affected or related to this.
So, we can assume OpenSSH component is not a problem. I found this old CVE about libssh that indicates that AFM SSH Proxy functionality does use libssh: https://support.f5.com/csp/article/K57255643Looking a 12.1.0 F5 device, libssh is installed:
[root@localhost:Active:Standalone] config rpm -qa libssh
libssh-0.7.2-1.el7.f5.1.0.0.1434.x86_64
[root@localhost:Active:Standalone] config switchboot -l
Current boot image:
HD1.1 - title BIG-IP 12.1.0 Build 0.0.1434
Default boot image:
HD1.1 - title BIG-IP 12.1.0 Build 0.0.1434
Available boot image(s):
HD1.1 - title BIG-IP 12.1.0 Build 0.0.1434
[root@localhost:Active:Standalone] config
We will need to wait for F5 official statement about this CVE.
Because even if the libssh is been used, it could have been modified, so is not vulnerable to this CVE. An example of that is GitHub, and they did these public statements: “While we use libssh, we can confirm that http://GitHub.com and GitHub Enterprise are unaffected by CVE-2018-10933 due to how we use the library.” “We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for. Patches have been applied out of an abundance of caution, but GHE was never vulnerable to CVE-2018-10933.”My conclusion so far is that if you don’t have AFM with SSH Proxy functionality, it is very unlikely that you are affected by this CVE.
I will update this when F5 releases the askf5 solution, if someone else is not faster than me.
