Vulnerable libssh Embedded Into Critical IoT

ZDNet has reported that a security flaw in libssh “leaves thousands of servers at risk of hijacking.” (CVE-2018-10933) This was a well written article.  However, we believe Catalin Cimpanu, the author, understated the actual risk to organizations when he said “most servers, IoT devices, and personal computers [use the non-vulnerable] openssh instead of libssh.”

To understand why my team and I believe the libssh vulnerability is a much bigger problem than Catalin indicated, you need to know what we do.  Securolytics created an IoT Security platform from the ground up. Our core technology is used for IoT Asset Discovery and IoT Threat Defense.  In other words, Securolytics is really, really good at finding every device on the network and every risk associated with those devices.  Unique to Securolytics is our focus on mission critical IoT like Connected Medical Devices and Industrial IoT Devices.

Enterprise Security For The Internet of Things

In his article Catalin wrote most servers and IoT devices are using the non-vulnerable openssh library. He seems to have based this statement on results from the Shodan scanner.  Shodan only scans public-facing servers, like web servers, and has zero visibility into the billions of IoT devices behind corporate and home firewalls.  By contrast, Securolytics is only deployed behind firewalls. Being on the inside of an organization’s network gives Securolytics complete visibility into every device on the network.

Now that you understand our vantage point, I want to share with you what our team has discovered and provide recommendations for quickly and easily assessing the impact of the libssh vulnerability to your organization.


What Is libssh?

Almost all Unix and Linux systems use SSH.

SSH stands for Secure Shell, where the term shell is geek-speak for a command prompt, the place where most Unix-style system administration is performed, whether manually by a human, or automatically via a script. Today SSH is used for much more than just shell logins because SSH creates a secure tunnel – a general-purpose encrypted data channel between two computers on a network. SSH is commonly used to distribute server configurations, transfer files between servers and synchronize data between data centers. Security holes in SSH can therefore be a nightmare for IT Admins.

libssh is one of many libraries that can be used for SSH authentication. Other popular SSH libraries include OpenSSH, Dropbear, libssh2 and PuTTY.


The libssh Vulnerability Explained

libssh Vulnerability - CVE-2018-10933

The libssh vulnerability was added to the National Vulnerability Database (NVD) on October 17, 2018.
It was assigned a rating of “CRITICAL,” which means this vulnerability is really bad. This vulnerability allows an attacker to bypass authentication and gain access to a server using SSH without having to enter the password.


Does The libssh Vulnerability Affect IoT Devices?

Yes.  Securolytics has discovered the vulnerable libssh software has been embedded into mission critical IoT devices.  For example, we found ShoreTel’s SG-50V VoIP Switch is using libssh 0.5.2.  (figure 1) And ShoreTel is not the only manufacturer using libssh.  We have already discovered vulnerable libssh software embedded into Industrial IoT controllers and Building Automation systems.  We’re currently reviewing data from Connected Medical Devices and will post our findings as soon as possible.

libssh Vulnerability in ShoreTel VoIP Switch
figure-1 libssh Vulnerability in ShoreTel VoIP Switch


…More Bad News

libssh Vulnerable ShoreTel IoT VoIP Switch

The discovery of vulnerable software embedded into an IoT device has forced us to ask some hard and uncomfortable questions.


1. IoT Patching

IoT devices are not patched like traditional computers and servers.  Organizations must wait for the device manufacturer to release a firmware upgrade.  In the case of this ShoreTel device, will the manufacturer (now Mitel) release an upgrade?  We could not find any information on Mitel’s website acknowledging this vulnerability or the availability of a firmware upgrade.  We have contacted Mitel and will post their response here.


2. IoT Device Inventory & Vulnerability Detection

Not every ShoreTel SG-50V switch is running the vulnerable libssh software.  We found several ShoreTel SG-50V devices running Dropbear and others running OpenSSH.  Did ShoreTel install different SSH software based on when or where the device was manufactured?  Does this mean organizations that standardized on ShoreTel’s SG-50V platform could unknowingly be running 3 different SSH packages.  Is Mitel going to assist organizations with finding and testing every ShoreTel device on their network?  Will Mitel pay for this?


3. IoT Product Recalls

If my local grocery store thinks the lettuce on their shelves has been contaminated, they pull it so I don’t get sick from eating an iceberg wedge.  The FDA holds my grocer accountable.  Today, major distributors like CDW are still selling the ShoreTel SG-50V.  Is CDW shipping vulnerable equipment to customers?  No Federal agency can hold CDW accountable for selling vulnerable equipment.  Moreover, distributors like CDW have no financial incentive to pull or even test the ShoreTel SG-50V devices on their shelves.  Distributors have no liability for shipping a Trojan horse.  Caveat emptor!

** ShoreTel discontinued sales of the vulnerable SG-50V on June 30, 2018.  (EoS Announcement)  It infuriates my team and I that any distributor would continue selling outdated and potentially vulnerable equipment.  We have contacted CDW and will post their response here.


…Finally Some Good News

If you’re like me, you don’t wait around for someone else to fix your problem.  You take control of the situation by evaluating your options and then making the best decision for you and your organization. If you’re open to a new approach and not afraid to take a chance on the underdog, my team and I want to help you!

Securolytics IoTSA-1000

You can’t protect what you can’t see. Securolytics created the first and only purpose-built IoT Security Appliance that solves the IoT visibility and threat detection problem.

  • 1U Security Appliance
  • Based on Tilera’s multi-core processor
  • Powered by SecurolyticsOS, a hardened Linux-based kernal
  • 1-10Gbp SFP+ / 1-1Gbp SFP / 8-1Gbp Ethernet Ports
  • Agentless
  • Non-Inline deployment
  • HIPAA and PCI-DSS compliant
  • PortSafe™ Inspection for Connected Medical Devices
  • Installs in 2-Minutes!

Securolytics Device Detail

Simply connect the IoT Security Appliance anywhere on your network and within 24-hours you will have a complete and accurate inventory of everything on your network including your IoT devices. Using our patent-pending PortSafe™ Inspection technology, the appliance checks every device for default credentials, ICS-CERT Advisories, open CVEs and known vulnerabilities including the newly discovered libssh vulnerability. The IoTSA is designed for continuous monitoring so you will always have an up-to-date view of all devices and activity on your network.

Ready to test drive Securolytics? Click below to request a free evaluation unit. I’ll personally ensure we ship a unit to you!

Request a FREE Securolytics Evaluation Unit


Vikas Singla

Written by Vikas Singla
Co-Founder & Chief Operating Officer, Securolytics


Update 1:

Monday, October 22, 2018
cisco-sa-20181019-libsshBoth Cisco and F5 Networks have issued critical security advisories for their affected products in light of this libssh vulnerability disclosure. I do not think this will turn into a major incident for either vendor as our own research found very little Cisco or F5 equipment even using libssh.

ShoreTel, on the other hand, is much more likely to take a hit. As of today, there is still no mention of this vulnerability on Mitel’s website. For now, organizations running vulnerable ShoreTel equipment will have to develop their own risk mitigation plan.

Share/Follow Us:

2 thoughts on “Vulnerable libssh Embedded Into Critical IoT

Leave a Reply

Your email address will not be published. Required fields are marked *