We found results for “


Date: October 17, 2018


This is a server authentication bypass vulnerability that allows a client to create unauthorized channels. An attacker can trick the server into accepting successful user authentication from a client that lacks valid credentials. The extent of vulnerability can be severe depending on the permission granted to the SSH server.


Servers that utilize libssh for implementing SSH remote login can be exploited by an unauthorized client. The remote client sends user credentials to the server when the authentication process is triggered. This is done by sending an SSH2_MSG_USERAUTH_REQUEST message that contains the credentials. The attacker, a remote client, bypasses this step and sends a success message instead. The success message SSH2_MSG_USERAUTH_SUCCESS tells the server that the user is already authenticated. However, such communications are only intended to be sent by a server —not a client. The server fails to differentiate between clients and servers because it uses the same state machine for authentication. Once the malicious client is mistaken for a server and succeeds in sending the authentication success message, the server’s session object becomes authenticated. This allows the attacker to connect to shell and open it if desired.

Affected Environments

Any server running libssh version 0.6 and above without the update versions 0.8.4 and 0.7.6 is susceptible to the attack. Some products from the following vendor are known to have been affected: Red Hat Ubuntu Oracle


Update to libssh versions 0.7.6 and 0.8.4


Scan for vulnerability in host systems using libssh Customize library to remove pubkey-based authorization

Language: Python

Good to know:


Authentication Issues


Upgrade Version

Upgrade to version 0.7.6,0.8.4

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): None
Additional information: