LibSSH authentication bypass

security linux amazon-web-services amazon-ec2 amazon-linux

You can get a list of all packages that need libssh2 with rpm -q --whatrequires.

On my Amazon Linux 2 instance nothing seems to require it:

[root@ip-xx-xx-xx-xx ~]# rpm -q --whatrequires libssh2
no package requires libssh2

To be extra sure you can try to list all processes that have the shared library open:

[root@ip-xx-xx-xx-xx ~]# rpm -ql libssh2
/usr/lib64/libssh2.so.1
/usr/lib64/libssh2.so.1.0.1     <== this is the one
...
[root@ip-xx-xx-xx-xx ~]# fuser /usr/lib64/libssh2.so.1.0.1
(... empty output ...)
[root@ip-xx-xx-xx-xx ~]#

Looks like on my Amazon Linux 2 EC2 nothing uses libssh2. Note that fuser must be run as root or with sudo, otherwise you won't see any system processes.

Hope that helps :)


The vulnerability described here only applies to programs which run an ssh server using libssh code. The server used on virtually every VM is OpenSSH, which does not use libssh. It is irrelevant to programs which use libssh as an ssh client.

This vulnerability exists in libssh, not libssh2. These are completely different and unrelated packages.

If libssh is not installed, you are not vulnerable. Your system does not have libssh installed, so you are not vulnerable.

Even if libssh is installed, you must also be running an alternate SSH server which uses libssh. You are not doing this, so you are not vulnerable.

Related

Malware DNS A record points to my ip address
What is Load Balancer Warmup?
How to make `clamdscan` exclude folders and only log `--infected`?
Ubuntu Server with systemd - how to get a backtrace or coredump?
Hide subdomains from scan tools
Why doesn't libvirt cooperate with iptables on fedora 32
nginx: combine Expires and Cache-Control: immutable headers
Server Uptime Reporting and Tracking
Free hex file viewer [closed]
Account lockout
What inconsistencies should I expect between WAMP and LAMP stacks? [closed]
Should I install antivirus in Windows 7 RC XP Mode?