cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ADTSA-201805: Authentication bypass in libssh server code

ADTSA-201805: Authentication bypass in libssh server code

Description

libssh versions 0.6 and above have an authentication bypass vulnerability in the server code.  By presenting the server a SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, an attacker can successfully authenticate without any credentials.

CVE ID

Affected Products

Product FamilySeverityNotes
Mosaic Cloud Platform PMAALow (Not Exploitable)The products listed contain an affected version of libssh, but rely on authentication methods provided outside of the libssh module.  Because of this, the vulnerability is not exploitable in these products even though the vulnerable code is present.  Although the vulnerability is not exploitable, ADTRAN has already patched libssh for new versions of the software currently in development.  The updated version of libssh will be included in any future regularly scheduled feature and/or maintenance releases.

SDX 602 Series 10G PON IBONT

SDX 621 Series 10G PON SFU ONT

Low (Not Exploitable)The products listed contain an affected version of libssh, but rely on authentication methods provided outside of the libssh module.  Because of this, the vulnerability is not exploitable in these products even though the vulnerable code is present.  Although the vulnerability is not exploitable, ADTRAN has already patched libssh for new versions of the software currently in development.  The updated version of libssh will be included in any future regularly scheduled feature and/or maintenance releases.

508G G.fast DPU

516G G.fast DPU

SDX 2200 Series G.fast DPU

Low (Not Exploitable)The products listed contain an affected version of libssh, but rely on authentication methods provided outside of the libssh module.  Because of this, the vulnerability is not exploitable in these products even though the vulnerable code is present.  Although the vulnerability is not exploitable, ADTRAN has already patched libssh for new versions of the software currently in development.  The updated version of libssh will be included in any future regularly scheduled feature and/or maintenance releases.
SDX 6210 Series 10G EPON OLTLow (Not Exploitable)The products listed contain an affected version of libssh, but rely on authentication methods provided outside of the libssh module.  Because of this, the vulnerability is not exploitable in these products even though the vulnerable code is present.  Although the vulnerability is not exploitable, ADTRAN has already patched libssh for new versions of the software currently in development.  The updated version of libssh will be included in any future regularly scheduled feature and/or maintenance releases.
SDX 6310 Series XGS-PON/NP-PON2 OLTLow (Not Exploitable)The products listed contain an affected version of libssh, but rely on authentication methods provided outside of the libssh module.  Because of this, the vulnerability is not exploitable in these products even though the vulnerable code is present.  Although the vulnerability is not exploitable, ADTRAN has already patched libssh for new versions of the software currently in development.  The updated version of libssh will be included in any future regularly scheduled feature and/or maintenance releases.

Mitigating Factors & Recommended Actions

Product FamilyMitigating FactorsRecommended Actions
Mosaic Cloud Platform PMAASee 'Notes' in the Affected Products section above.N/A

SDX 602 Series 10G PON IBONT

SDX 621 Series 10G PON SFU ONT

See 'Notes' in the Affected Products section above.N/A

508G G.fast DPU

516G G.fast DPU

SDX 2200 Series G.fast DPU

See 'Notes' in the Affected Products section above.N/A
SDX 6210 Series 10G EPON OLTSee 'Notes' in the Affected Products section above.N/A
SDX 6310 Series XGS-PON/NP-PON2 OLTSee 'Notes' in the Affected Products section above.N/A

Resolution

Product FamilyResolution
Mosaic Cloud Platform PMAAUpgrade to the next software release when available to obtain a patched version of libssh.

SDX 602 Series 10G PON IBONT

SDX 621 Series 10G PON SFU ONT

Upgrade to the next software release when available to obtain a patched version of libssh.

508G G.fast DPU

516G G.fast DPU

SDX 2200 Series G.fast DPU

Upgrade to the next software release when available to obtain a patched version of libssh.
SDX 6210 Series 10G EPON OLTUpgrade to the next software release when available to obtain a patched version of libssh.
SDX 6310 Series XGS-PON/NP-PON2 OLTUpgrade to the next software release when available to obtain a patched version of libssh.

Revision History

  • Revision C (2018-11-06):  All investigations have been completed
  • Revision B (2018-10-19):  Added Mosaic Cloud Platform PMAA as an affected product
  • Revision A (2018-10-19):  Initial Release
Version history
Revision #:
1 of 1
Last update:
‎10-19-2018 11:29 AM
Updated by:
 
Contributors