Flaw in Libssh Grants Admin Control to Servers

Flaw in Libssh Grants Admin Control to ServersSecurity researcher Peter Winter-Smith discovered a four-year-old authentication bypass vulnerability in the server code of libssh versions 0.6 and above. According to Winter-Smith’s tweet, “The root cause is that the libSSH server and client share a state machine, so packets designed only to be processed by and update the client state can update the server state.”In the security advisory for CVE-2018-10933, Winter-Smith summarized,