CVE-2018-10933 - libssh's server-side state machine

Question

Note:
This is not a question but mainly to share information.
Full Disclosure:
I am providing this information as a F5 customer, I am not an F5 employee and neither I speak on behalf of F5.
There is new CVE that looks be generating a lot of noise, as it has the potential for big impact and looks to be very straightforward to exploit.
https://www.libssh.org/security/advisories/CVE-2018-10933.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10933
CVE-2018-10933
“A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.”
At the time I am writing this, there is no public information from F5 in askF5, neither I could find information in DevCentral.
Anyway, this is very new, and I am pretty sure that F5 is already working in an askf5 solution for that, as this is a critical CVE.
You can open a F5 support ticket if you want to get an official message from F5, like you could do for any other CVE.
As far as I know, F5 management access uses OpenSSH, and the versions are listed in this solution:
https://support.f5.com/csp/article/K65097545

Still, early stages, as everyone is analyzing the impact.
https://nvd.nist.gov/vuln/detail/CVE-2018-10933
“This vulnerability is currently awaiting analysis.”
All public information so far indicates that OpenSSH is not affected or related to this.
So, we can assume OpenSSH component is not a problem.
I found this old CVE about libssh that indicates that AFM SSH Proxy functionality does use libssh:
https://support.f5.com/csp/article/K57255643
Looking a 12.1.0 F5 device, libssh is installed:
[root@localhost:Active:Standalone] config  rpm -qa libssh
libssh-0.7.2-1.el7.f5.1.0.0.1434.x86_64
[root@localhost:Active:Standalone] config  switchboot -l

Current boot image:
    HD1.1 - title BIG-IP 12.1.0 Build 0.0.1434
Default boot image:
    HD1.1 - title BIG-IP 12.1.0 Build 0.0.1434
Available boot image(s):
    HD1.1 - title BIG-IP 12.1.0 Build 0.0.1434
[root@localhost:Active:Standalone] config

We will need to wait for F5 official statement about this CVE.
Because even if the libssh is been used, it could have been modified, so is not vulnerable to this CVE.
An example of that is GitHub, and they did these public statements:
“While we use libssh, we can confirm that http://GitHub.com  and GitHub Enterprise are unaffected by CVE-2018-10933 due to how we use the library.”
“We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for. Patches have been applied out of an abundance of caution, but GHE was never vulnerable to CVE-2018-10933.”
My conclusion so far is that if you don’t have AFM with SSH Proxy functionality, it is very unlikely that you are affected by this CVE.
I will update this when F5 releases the askf5 solution, if someone else is not faster than me.

leonardo_souza · Answer

Here is the solution:&nbsp;
https://support.f5.com/csp/article/K52868493&nbsp;

Forum Discussion

CVE-2018-10933 - libssh's server-side state machine

Recent Discussions

F5 BIG-IP

BIG-IP Oauth Client and AS

How to Renew F5 Device Certificate

Use of SSL Decryption.

Big IP DNS Failover

Related Content

Client-side vs Server-side Load Balancing

Ways to correlate client side and server side connections

Client side to server side SNI relay iRule

SSL Heartbleed server side iRule

Server Side Profile not show the certificate

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS