libssh CVE-2018-10933 Honeypot

Cymmetria research is releasing a honeypot for detecting the new libssh vulnerability discovered week ago on October 16th. This new vulnerability could allow anyone to bypass the authentication phase of the ssh login, and gain unauthorized access to a vulnerable server without requiring a password.

libssh is a popular open source library, and the vulnerability affects libssh server-side implementations. The vulnerability, known as CVE-2018-10933, was introduced in libssh version 0.6 (released in 2014, meaning the vulnerability existed for over four years) and was fixed on October 16h with the release of libssh versions 0.7.6 and 0.8.4.

Already in the last few days many scanners have been released, allowing attackers to find vulnerable servers.

How we made this honeypot:

  1. We used Honeycomb (our open-source platform for writing honeypots)
  2. Created an SSH server using paramiko
  3. Patched the server to look like LibSSH to scanners
  4. Patched the server to detect the vulnerability

The complete source code is available here:

In order to start using this honeypot you should take the following steps:

# pip install honeycomb-framework
# honeycomb service install libssh
# honeycomb service run libssh

Note that by default this honeypot will run on port 2222. In order to run the honeypot on port 22 you should give Python permission to open low-number ports:

# setcap 'cap_net_bind_service=+ep' /path/to/python

And then run set the port to 22:

# honeycomb service run libssh port=22

or alternatively (less recommended) run as root (the –iamroot flag is required when you run honeycomb as root):

# honeycomb --iamroot service run libssh port=22

Dekel Braunstein is VP of R&D at Cymmetria, where he leads the development process of products and services at Cymmetria. Dekel possesses more than 20 years of experience in web development and platform architecture and has vast experience in the startups industry.