Test Results for libssh Bug on KMAX, Mini Maxwell, and Maxwell Pro
IWL Engineering has completed its investigation of the CVE-2018-10933 security flaw (libssh bug) and found that this bug is not present in our products.
Based on testing conducted by IWL engineers, there is no indication that either Mini Maxwell or KMAX is subject to the libssh flaw.
For the Maxwell Pro products, based on RedHat Fedora, RedHat has stated that its systems are not vulnerable; our testing is consistent with that.
Testing KMAX and Mini Maxwell for the libssh bug.
FIRST was the tester from LeapSecurity
https://github.com/leapsecurity/libssh-scanner.git
Running that scanner against a Mini Maxwell and then a KMAX:
Mini Maxwell
%: ./libsshscan.py -a -p 22 192.168.17.234 libssh scanner 1.0.4 Searching for Vulnerable Hosts... [*] 192.168.17.234:22 is not vulnerable to authentication bypass (SSH-2.0-OpenSSH_6.2) Scanner Completed Successfully
KMAX
%: ./libsshscan.py -a -p 22 192.168.17.95 libssh scanner 1.0.4 Searching for Vulnerable Hosts... [*] 192.168.17.95:22 is not vulnerable to authentication bypass (SSH-2.0-OpenSSH_7.2 FreeBSD-20160310) Scanner Completed Successfully
SECOND scanner:
https://github.com/blacknbunny/libSSH-Authentication-Bypass/blob/master/libsshauthbypass.py
Mini Maxwell
%: ./libsshauthbypass.py -p 22 --host 192.168.17.234 Administratively prohibited : "Channel Not Opened" or "TCPForwarding disabled on remote/local server can't connect.".Not Vulnerable
KMAX
%: ./libsshauthbypass.py -p 22 --host 192.168.17.95 Administratively prohibited : "Channel Not Opened" or "TCPForwarding disabled on remote/local server can't connect.".Not Vulnerable
THIRD scanner also from Leap
Although the names are similar to the first one, this scanner can look at an individual target or range of targets.
https://github.com/leapsecurity/libssh-scanner
Mini Maxwell:
%: ./libsshscan.py -a -p 22 192.168.17.234 libssh scanner 1.0.4 Searching for Vulnerable Hosts... [*] 192.168.17.234:22 is not vulnerable to authentication bypass (SSH-2.0-OpenSSH_6.2) Scanner Completed Successfully
KMAX
%: ./libsshscan.py -a -p 22 192.168.17.95 libssh scanner 1.0.4 Searching for Vulnerable Hosts... [*] 192.168.17.95:22 is not vulnerable to authentication bypass (SSH-2.0-OpenSSH_7.2 FreeBSD-20160310) Scanner Completed Successfully
FOURTH test, specific to Mini Maxwell
Reviewing the source code for Mini Maxwell indicates that Mini Maxwell does not contain libssh. Instead Mini Maxwell uses libssh2. Notice the final "2".
libssh and libssh2 are completely different code and only libssh (without the '2') has the cited flaw.
FIFTH Test
Following the the procedures in: https://www.marcolancini.it/2018/blog-libssh-auth-bypass/
These procedures don't really check the SSH server, but rather they generate a kind of fingerprint of known vulnerable servers (that list does not try to be 100% comprehensive.)
Here's the list: https://gist.github.com/0x4D31/35ddb0322530414bbb4c3288292749cc
The fingerprints were not among those know to be vulnerable.
Mini Maxwell
# Nmap 7.60 scan initiated Tue Nov 13 15:53:29 2018 as: nmap -v -Pn -n --script ssh-hassh -p22 -oN ./results/22_192.168.17.234 192.168.17.234 Nmap scan report for 192.168.17.234 Host is up (0.00034s latency). PORT STATE SERVICE 22/tcp open sshnotification | ssh-hassh: | Server Identification String: SSH-2.0-OpenSSH_6.2 | hasshServer: cca34b641961a75a15b91d1f1a13a3fb |_ hasshServer Algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se;hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96;none,zlib@openssh.com Read data files from: /usr/bin/../share/nmap # Nmap done at Tue Nov 13 15:53:29 2018 -- 1 IP address (1 host up) scanned in 0.26 seconds
KMAX Test
# Nmap 7.60 scan initiated Tue Nov 13 15:53:29 2018 as: nmap -v -Pn -n --script ssh-hassh -p22 -oN ./results/22_apu.cavebear.com apu.cavebear.com Nmap scan report for apu.cavebear.com (192.168.17.95) Host is up (0.00051s latency). PORT STATE SERVICE 22/tcp open ssh | ssh-hassh: | Server Identification String: SSH-2.0-OpenSSH_7.2 FreeBSD-20160310 | hasshServer: 07094a2b29664fb4178658c6e95a241f |_ hasshServer Algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc;umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,zlib@openssh.com Read data files from: /usr/bin/../share/nmap # Nmap done at Tue Nov 13 15:53:29 2018 -- 1 IP address (1 host up) scanned in 0.19 seconds