How To Detect LibSSH Authentication Bypass for EC2 Instances

It was recently announced that a vulnerability in libssh, a popular library for supporting the Secure Shell (SSH) authentication protocol, left thousands of servers at risk of hijacking.

Errrr…. Uh-oh. pic.twitter.com/E4L6JInc0j

— Amit Serper (@0xAmit) October 16, 2018

Implications

The vulnerability allows an attacker to bypass authentication procedures and gain access to a server with an SSH connection enabled without having to enter the password. You can read more about it here.

An attacker can send the message to the SSH server: “SSH2_MSG_USERAUTH_SUCCESS” message instead of the “SSH2_MSG_USERAUTH_REQUEST” message that a server usually expects and which libssh uses as a sign that an authentication procedure needs to initiate.

CVE-2018-10933, xkcd style. 🙃 pic.twitter.com/61AEZlTcoZ

— svbl 🇺🇦 (@svblxyz) October 16, 2018

What You Can Do To Stay Protected

1. Update your libssh versions

This vulnerability is tracked by CVE-2018-10933, and the libssh team released versions 0.8.4 and 0.7.6  to address this bug.

2. Turn on Amazon Inspector

Amazon Inspector is an agent-based and operates at the host/workload level— small software agents installed in instances gather information about the network, file system, operating system and process activity. Using Inspector, customers can check for vulnerable software versions installed.

3. Use Dome9 Compliance Engine to detect any EC2 instances at risk

The Dome9 Compliance Engine is an automation framework that allows admins to monitor the security and compliance of their cloud environments on an ongoing basis.

[wp_colorbox_media url=”https://dome9.com/wp-content/uploads/2018/07/Dome9-_-Compliance-Engine-10-1.png” type=”image” hyperlink=”https://dome9.com/wp-content/uploads/2018/07/Dome9-_-Compliance-Engine-10-1.png” alt=”libssh”]

In a previous blog, we wrote about how we’ve used this integration to detect Spectre and Meltdown vulnerabilities with a click of a button. With the Dome9 Compliance Engine, security teams can reason and query Inspector configurations and runs by writing simple GSL rules. This allows users to:

1. Enforce Inspector Configurations — to make sure that the right Rules Packages are selected in the relevant environments

2. Enforce Inspector Runs — to make sure that the scans are running consistently.

You can use GSL rules to look for specific vulnerabilities by name or ID. For example, the rule below checks to detect the relevant CVEs and compromised EC2 instances.

Instance should not havescanners.findings contain [ ruleId='CVE-2018-10933']

Dome9’s Compliance Engine continuously scans execution and findings of the Amazon Inspector service, allowing customers to rely on that service for production systems and to ensure that no future configuration change or new workloads will violate the company’s InfoSec policies.

To learn more about the Dome9 Compliance Engine, or to try the platform for free, get started now.