LibSSH authentication bypass

I-P-X asked:

With the recent security announcement by libssh (CVE-2018-10933) I wonder how to find out if any of my running services use the vulnerable library? I will eventually yum upgrade the system but for now it would be nice to know if I’m in danger. I’m using Amazon Linux 2 AMI on EC2. Thanks!

My answer:


The vulnerability described here only applies to programs which run an ssh server using libssh code. The server used on virtually every VM is OpenSSH, which does not use libssh. It is irrelevant to programs which use libssh as an ssh client.

This vulnerability exists in libssh, not libssh2. These are completely different and unrelated packages.

If libssh is not installed, you are not vulnerable. Your system does not have libssh installed, so you are not vulnerable.

Even if libssh is installed, you must also be running an alternate SSH server which uses libssh. You are not doing this, so you are not vulnerable.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.