Ericsson Enterprise Wireless

CPSEC-18: Libssh Vulnerability

2018-11-09 14:23:51

Summary: A vulnerability in libssh's server-side state machine before versions 0.7.6 and 0.8.4. Malicious agent could create channels without performing authentication, facilitating unauthorized access.

Mitigation: Although CP does use libssh coding, CP products are not vulnerable to this OBM or AAOBM service. CP uses client-side implementation and this specific vulnerability exploits server-side implementation. NCOS - Although we do use the libssh code, we use a separate Python authentication wrapper for authentication, and we are not vulnerable to this.

Knowledge Article

CVE-2018-10933 NIST/NDV Detail