What puzzles me about this libssh vuln: 1) USERAUTH_REQUEST is used for specifying the user you want to authenticate as. If you don't send it, who are you authenticated as? 2) The patch (https://www.libssh.org/security/patches/stable-0.6_CVE-2018-10933.jmcd.patch01.txt …) introduces (not replaces!) state checking. Was there none before?https://twitter.com/dlitchfield/status/1052296941436989440 …
-
-
I suspect that the sample sshd code from libssh isn't as fully-fledged as it needs to be. It's enough to demonstrate successful authentication at least. Aside from some IoT things visible via Shodan, I've not seen any libssh-based ssh server software. On any platform.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.