Update: The following statement has been added since the initial release of this story
Turns out, F5 Networks products are not vulnerable whatsoever. The team had put out the security advisory to error on the side of caution and suggested mitigations while they looked into libssh, but it turns out that there is nothing to mitigate.The AskF5 security advisory has been updated to reflect this information: https://support.f5.com/csp/article/K52868493
Last week, the report regarding the LibSSH bug surfaced online, which allegedly allowed unauthenticated logins. Exploiting this vulnerability could let the hackers log in servers without even a password. Although the bug put thousands of servers at risk of hacking, it didn’t seem problematic as most servers use other OpenSSH or LibSSH2 for logins. However, just recently, vendors have started confirming the vulnerability of their products to this LibSSH flaw.
RHEL And F5 Confirm Impact Of LibSSH Flaw On Their Products
After the disclosure of the LibSSH flaw (CVE-2018-10933), Red Hat Enterprise Linux and F5 Networks have confirmed the vulnerability of their products to this flaw.
Regarding RHEL, they confirm the impact of this vulnerability on the Red Hat Enterprise Linux 7 Extras. However, a good thing is that the bug has not affected any other version. As stated in their advisory,
This vulnerability affects libssh shipped in Red Hat Enterprise Linux 7 Extras. No libssh packages are included in Red Hat Enterprise Linux 6 and earlier. This issue does not affect libssh2 or openssh.
Precisely, the vulnerability affects the applications in Linux 7 that use libssh. RHEL confirmed that no Red Hat products use libssh for SSH server implementation. Hence, the overall Red Hat packages remain unaffected.
The libssh library is available for customer or third party code to use. Such code that is linked against libssh and uses the ssh_bind* functions may be affected by this flaw.
Besides RHEL, the other vendor, F5 Networks, has also confirmed the effect of this bug on their product. Nonetheless, they also confirm that their BIG-IP management console remains unaffected from a direct impact of this bug. As explained in their security advisory,
This vulnerability does not allow any login directly to the BIG-IP system. It only applies to BIG-IP AFM SSH virtual servers and only those that use key-based authentication. There is no direct access to the BIG-IP management console. Login to the BIG-IP system is not exposed in any way.
While they haven’t released patched versions for the BIG-IP AFM yet, they still recommend a mitigation for the users running the vulnerable product.
You can mitigate the vulnerability by using password and keyboard interactive authentication as opposed to public key authentication with the BIG-IP AFM SSH proxy feature.
Cisco Still Investigating The Products
Recently, Cisco has acknowledged the impact of the libssh vulnerability on yet unknown Cisco products. Presently, they have simply confirmed that the bug may have affected one or more products from the vendors. However, they are still testing their products for possible vulnerabilities. For now, they have confirmed some of their products that remain unaffected by the flaw. Yet, many others are still under investigation.
Let us know your thoughts in the comments below.