Options
- Article History
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Email to a Friend
- Printer Friendly Page
- Report Inappropriate Content
Subscribe
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Adtran Support Community
- :
- Security Advisories
- :
- Security Advisories
- :
- ADTSA-201805: Authentication bypass in libssh server code
ADTSA-201805: Authentication bypass in libssh server code
ADTSA-201805: Authentication bypass in libssh server code
Description
libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server a SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, an attacker can successfully authenticate without any credentials.
CVE ID
Affected Products
| Product Family | Severity | Notes |
|---|---|---|
| Mosaic Cloud Platform PMAA | Low (Not Exploitable) | The products listed contain an affected version of libssh, but rely on authentication methods provided outside of the libssh module. Because of this, the vulnerability is not exploitable in these products even though the vulnerable code is present. Although the vulnerability is not exploitable, ADTRAN has already patched libssh for new versions of the software currently in development. The updated version of libssh will be included in any future regularly scheduled feature and/or maintenance releases. |
SDX 602 Series 10G PON IBONT SDX 621 Series 10G PON SFU ONT | Low (Not Exploitable) | The products listed contain an affected version of libssh, but rely on authentication methods provided outside of the libssh module. Because of this, the vulnerability is not exploitable in these products even though the vulnerable code is present. Although the vulnerability is not exploitable, ADTRAN has already patched libssh for new versions of the software currently in development. The updated version of libssh will be included in any future regularly scheduled feature and/or maintenance releases. |
508G G.fast DPU 516G G.fast DPU SDX 2200 Series G.fast DPU | Low (Not Exploitable) | The products listed contain an affected version of libssh, but rely on authentication methods provided outside of the libssh module. Because of this, the vulnerability is not exploitable in these products even though the vulnerable code is present. Although the vulnerability is not exploitable, ADTRAN has already patched libssh for new versions of the software currently in development. The updated version of libssh will be included in any future regularly scheduled feature and/or maintenance releases. |
| SDX 6210 Series 10G EPON OLT | Low (Not Exploitable) | The products listed contain an affected version of libssh, but rely on authentication methods provided outside of the libssh module. Because of this, the vulnerability is not exploitable in these products even though the vulnerable code is present. Although the vulnerability is not exploitable, ADTRAN has already patched libssh for new versions of the software currently in development. The updated version of libssh will be included in any future regularly scheduled feature and/or maintenance releases. |
| SDX 6310 Series XGS-PON/NP-PON2 OLT | Low (Not Exploitable) | The products listed contain an affected version of libssh, but rely on authentication methods provided outside of the libssh module. Because of this, the vulnerability is not exploitable in these products even though the vulnerable code is present. Although the vulnerability is not exploitable, ADTRAN has already patched libssh for new versions of the software currently in development. The updated version of libssh will be included in any future regularly scheduled feature and/or maintenance releases. |
Mitigating Factors & Recommended Actions
| Product Family | Mitigating Factors | Recommended Actions |
|---|---|---|
| Mosaic Cloud Platform PMAA | See 'Notes' in the Affected Products section above. | N/A |
SDX 602 Series 10G PON IBONT SDX 621 Series 10G PON SFU ONT | See 'Notes' in the Affected Products section above. | N/A |
508G G.fast DPU 516G G.fast DPU SDX 2200 Series G.fast DPU | See 'Notes' in the Affected Products section above. | N/A |
| SDX 6210 Series 10G EPON OLT | See 'Notes' in the Affected Products section above. | N/A |
| SDX 6310 Series XGS-PON/NP-PON2 OLT | See 'Notes' in the Affected Products section above. | N/A |
Resolution
| Product Family | Resolution |
|---|---|
| Mosaic Cloud Platform PMAA | Upgrade to the next software release when available to obtain a patched version of libssh. |
SDX 602 Series 10G PON IBONT SDX 621 Series 10G PON SFU ONT | Upgrade to the next software release when available to obtain a patched version of libssh. |
508G G.fast DPU 516G G.fast DPU SDX 2200 Series G.fast DPU | Upgrade to the next software release when available to obtain a patched version of libssh. |
| SDX 6210 Series 10G EPON OLT | Upgrade to the next software release when available to obtain a patched version of libssh. |
| SDX 6310 Series XGS-PON/NP-PON2 OLT | Upgrade to the next software release when available to obtain a patched version of libssh. |
Revision History
- Revision C (2018-11-06): All investigations have been completed
- Revision B (2018-10-19): Added Mosaic Cloud Platform PMAA as an affected product
- Revision A (2018-10-19): Initial Release
Version history
Contributors
-
Anonymous