Affected Users:
Anyone using wolfSSH server versions prior to release v1.4.17.
Summary:
It is possible for a malicious client to bypass user authentication when logging into a wolfSSH server. The wolfSSH server was not rigorous about checking the current state of the key exchange when handling channel open messages.
wolfSSH’s example echoserver and the wolfSSHd server will not allow one to obtain a shell as root or any other user. By skipping the user authentication, the user’s login name won’t be set, and the server will error out because it cannot find the user’s home directory. At this point, the server has allocated some memory resources for a channel, but then releases them immediately.
Due to the way wolfSSH server handles incoming connections, forwarding requires an active shell connection to work. If user authentication is skipped, the server will terminate the connection with an error before allowing any forwarding.
This issue with message processing is in the library. The application using the library has the responsibility of checking that the username is set and checking the credentials. One could have an application that gives access to the system without checking the user authentication.
Recommendation:
Prompt update to wolfSSH v1.4.17. This version rejects out-of-sequence channel messages before user authentication has completed and rejects user authentication messages after user authentication is complete.
Additional Details:
The patch fixing this issue can be viewed at the links:
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now