Security Update:NIST has published a CRITICAL CVE to announce a vulnerability in the libssh library that impacts multiple products across various vendors
Date and Time
libssh library users
NIST has published CVE-2018-10933 to announce a CRITICAL vulnerability in the libssh library that impacts multiple products across various vendors, including Cisco, F5, Red Hat, Ubuntu, and Debian.
Advanced Users: For a complete description of the vulnerabilities and affected systems, visit:
- NIST Vulnerability Database – CVE-2018-10933 at: https://nvd.nist.gov/vuln/detail/CVE-2018-10933
Please note that this is not an all-inclusive list of impacted systems. Contact your vendor(s) to determine if this vulnerability affects your system(s) and to obtain updated versions of products.
- libssh: https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
- Cisco: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181019-libssh
- F5: https://support.f5.com/csp/article/K52868493
- SonicWall: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0016
- Red Hat: https://access.redhat.com/security/cve/cve-2018-10933
- Ubuntu: https://usn.ubuntu.com/3795-1/ and https://usn.ubuntu.com/3795-2/
- Debian: https://www.debian.org/security/2018/dsa-4322
- SUSE: https://www.suse.com/security/cve/CVE-2018-10933/
WHAT’S THE PROBLEM?
A remote attacker could exploit this vulnerability to gain unauthenticated access to vulnerable servers.
WHAT DO I NEED TO DO?
Consult vendor support resources to determine if a vulnerable version of libssh is used in systems that you are responsible for or manage. If you have a system which is vulnerable, update the system to a non-vulnerable version.
If you use the libssh library in a service or application that you support or maintain, verify the version of libssh in use. If necessary, update your service or application to use libssh versions 0.7.6, 0.8.4, or later.
- IT SECURITY at https://it.ucsf.edu/security