Test results for libssh bug on KMAX, Mini Maxwell, and Maxwell Pro

IWL Engineering has completed its investigation of the CVE-2018-10933 security flaw (libssh bug) and found that this bug is not present in our products.

Based on testing conducted by IWL engineers, there is no indication that either Mini Maxwell or KMAX is subject to the libssh flaw.

For the Maxwell Pro products, based on RedHat Fedora, RedHat has stated that its systems are not vulnerable; our testing is consistent with that.

Testing KMAX and Mini Maxwell for the libssh bug.

FIRST was the tester from LeapSecurity

https://github.com/leapsecurity/libssh-scanner.git

Running that scanner against a Mini Maxwell and then a KMAX:

Mini Maxwell
%: ./libsshscan.py -a -p 22 192.168.17.234

libssh scanner 1.0.4

Searching for Vulnerable Hosts...

[*] 192.168.17.234:22 is not vulnerable to authentication bypass (SSH-2.0-OpenSSH_6.2)

Scanner Completed Successfully
KMAX
%: ./libsshscan.py -a -p 22 192.168.17.95

libssh scanner 1.0.4

Searching for Vulnerable Hosts...

[*] 192.168.17.95:22 is not vulnerable to authentication bypass (SSH-2.0-OpenSSH_7.2 FreeBSD-20160310)

Scanner Completed Successfully

SECOND scanner:

https://github.com/blacknbunny/libSSH-Authentication-Bypass/blob/master/libsshauthbypass.py

Mini Maxwell
%: ./libsshauthbypass.py -p 22 --host 192.168.17.234
Administratively prohibited : "Channel Not Opened" or "TCPForwarding disabled on remote/local server can't connect.".Not Vulnerable
KMAX
%: ./libsshauthbypass.py -p 22 --host 192.168.17.95
Administratively prohibited : "Channel Not Opened" or "TCPForwarding disabled on remote/local server can't connect.".Not Vulnerable

THIRD scanner also from Leap

Although the names are similar to the first one, this scanner can look at an individual target or range of targets.

https://github.com/leapsecurity/libssh-scanner

Mini Maxwell:
%: ./libsshscan.py -a -p 22 192.168.17.234

libssh scanner 1.0.4

Searching for Vulnerable Hosts...

[*] 192.168.17.234:22 is not vulnerable to authentication bypass (SSH-2.0-OpenSSH_6.2)

Scanner Completed Successfully
KMAX
%: ./libsshscan.py -a -p 22 192.168.17.95

libssh scanner 1.0.4

Searching for Vulnerable Hosts...

[*] 192.168.17.95:22 is not vulnerable to authentication bypass (SSH-2.0-OpenSSH_7.2 FreeBSD-20160310)

Scanner Completed Successfully

FOURTH test, specific to Mini Maxwell

Reviewing the source code for Mini Maxwell indicates that Mini Maxwell does not contain libssh. Instead Mini Maxwell uses libssh2. Notice the final "2".

libssh and libssh2 are completely different code and only libssh (without the '2') has the cited flaw.

FIFTH Test

Following the the procedures in: https://www.marcolancini.it/2018/blog-libssh-auth-bypass/

These procedures don't really check the SSH server, but rather they generate a kind of fingerprint of known vulnerable servers (that list does not try to be 100% comprehensive.)

Here's the list: https://gist.github.com/0x4D31/35ddb0322530414bbb4c3288292749cc

The fingerprints were not among those know to be vulnerable.

Mini Maxwell
# Nmap 7.60 scan initiated Tue Nov 13 15:53:29 2018 as: nmap -v -Pn -n --script ssh-hassh -p22 -oN ./results/22_192.168.17.234 192.168.17.234
Nmap scan report for 192.168.17.234
Host is up (0.00034s latency).

PORT   STATE SERVICE
22/tcp open  sshnotification
| ssh-hassh: 
|   Server Identification String: SSH-2.0-OpenSSH_6.2
|   hasshServer: cca34b641961a75a15b91d1f1a13a3fb
|_  hasshServer Algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se;hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96;none,zlib@openssh.com

Read data files from: /usr/bin/../share/nmap

# Nmap done at Tue Nov 13 15:53:29 2018 -- 1 IP address (1 host up) scanned in 0.26 seconds
KMAX Test
# Nmap 7.60 scan initiated Tue Nov 13 15:53:29 2018 as: nmap -v -Pn -n --script ssh-hassh -p22 -oN ./results/22_apu.cavebear.com apu.cavebear.com
Nmap scan report for apu.cavebear.com (192.168.17.95)
Host is up (0.00051s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hassh: 
|   Server Identification String: SSH-2.0-OpenSSH_7.2 FreeBSD-20160310
|   hasshServer: 07094a2b29664fb4178658c6e95a241f
|_  hasshServer Algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc;umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,zlib@openssh.com

Read data files from: /usr/bin/../share/nmap
# Nmap done at Tue Nov 13 15:53:29 2018 -- 1 IP address (1 host up) scanned in 0.19 seconds

Previous Post Next Post