CVE-2018-10933 libssh authentication bypass Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-18-336 Final 1 1 2018-11-21T00:00:00 Current version 2018-11-21T00:00:00 2018-11-21T00:00:00 libssh versions 0.6 and above have an authentication bypass vulnerability inthe server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS messagein place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expectto initiate authentication, the attacker could successfully authenticatewithout any credentials. [1] Escalation of privilege FortiAP - not affectedFortiAnalyzer - not affectedFortiOS - not affectedFortiSwitch - not affectedFortiMail - not affected FortiManager - not affectedFortiWeb - not affected https://fortiguard.fortinet.com/psirt/FG-IR-18-336 CVE-2018-10933 libssh authentication bypass 1. https://www.libssh.org/security/advisories/CVE-2018-10933.txt 1. https://www.libssh.org/security/advisories/CVE-2018-10933.txt CVE-2018-10933 6.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-18-336 CVE-2018-10933 libssh authentication bypass Reference> 1. https://www.libssh.org/security/advisories/CVE-2018-10933.txt 1. https://www.libssh.org/security/advisories/CVE-2018-10933.txt