CVE-2018-7749
Description
The SSH server implementation of AsyncSSH before 1.12.1 does not properly check whether authentication is completed before processing other requests. A customized SSH client can simply skip the authentication step.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AsyncSSH SSH server before 1.12.1 allows authentication bypass by skipping the authentication step.
Vulnerability
The SSH server implementation in AsyncSSH versions before 1.12.1 does not properly verify that authentication has been completed before processing other requests. This allows a malicious SSH client to send global or channel requests without authenticating, as the server accepts packets of types greater than MSG_USERAUTH_LAST even when _auth_complete is not set [2][3]. The affected versions are all AsyncSSH releases prior to 1.12.1 [1].
Exploitation
An attacker can exploit this by using a customized SSH client that simply skips the authentication step and sends otherwise valid SSH protocol packets (e.g., global requests, channel requests) directly after the key exchange. No authentication credentials or user interaction are required. The attacker only needs network access to the vulnerable SSH server [2][3].
Impact
Successful exploitation allows an attacker to bypass authentication entirely and interact with the SSH server as if they were authenticated. This can lead to unauthorized access, information disclosure, or potential command execution depending on the server's configuration, up to full compromise of the SSH service [2][4].
Mitigation
The vulnerability is fixed in AsyncSSH version 1.12.1, released on 2018-03-04 [1]. Users should upgrade to 1.12.1 or later immediately. The fix adds a check in _recv_packet to reject any packet type above MSG_USERAUTH_LAST if authentication is not yet complete, raising a DisconnectError [3]. No workarounds are available for earlier versions.
- GitHub - ronf/asyncssh: AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework.
- NVD - CVE-2018-7749
- Reject global and channel requests sent prior to auth being completed · ronf/asyncssh@16e6ebf
- advisory-database/vulns/asyncssh/PYSEC-2018-108.yaml at main · pypa/advisory-database
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
AsyncSSHPyPI | < 1.12.1 | 1.12.1 |
Affected products
1Patches
2c161e26cdc0dBump version number up to 1.12.1 and update change log and copyright
3 files changed · +37 −2
asyncssh/version.py+1 −1 modified@@ -18,4 +18,4 @@ __url__ = 'http://asyncssh.timeheart.net' -__version__ = '1.12.0' +__version__ = '1.12.1'
docs/changes.rst+35 −0 modified@@ -3,6 +3,41 @@ Change Log ========== +Release 1.12.1 (10 Mar 2018) +---------------------------- + +* Implemented a fix for CVE-2018-7749, where a modified SSH client could + request that an AsyncSSH server perform operations before authentication + had completed. Thanks go to Matthijs Kooijman for discovering and + reporting this issue and helping to review the fix. + +* Added a non-blocking collect_output() method to SSHClientProcess to + allow applications to retrieve data received on an output stream + without blocking. This call can be called multiple times and freely + intermixed with regular read calls with a guarantee that output will + always be returned in order and without duplication. + +* Updated debug logging implementation to make it more maintainable, and + to fix an issue where unprocessed packets were not logged in some cases. + +* Extended the support below for non-ASCII characters in comments to apply + to X.509 certificates, allowing an optional encoding to be passed in to + get_comment() and set_comment() and a get_comment_bytes() function to + get the raw comment bytes without performing Unicode decoding. + +* Fixed an issue where a UnicodeDecodeError could be reported in some + cases instead of a KeyEncryptionError when a private key was imported + using the wrong passphrase. + +* Fixed the reporting of the MAC algorithm selected during key exchange to + properly report the cipher name for GCM and Chacha ciphers that don't + use a separate MAC algorithm. The correct value was being returned in + queries after the key exchange was complete, but the logging was being + done before this adjustment was made. + +* Fixed the documentation of connection_made() in SSHSession subclasses + to properly reflect the type of SSHChannel objects passed to them. + Release 1.12.0 (5 Feb 2018) ---------------------------
README.rst+1 −1 modified@@ -77,7 +77,7 @@ License This package is released under the following terms: - Copyright (c) 2013-2017 by Ron Frederick <ronf@timeheart.net>. + Copyright (c) 2013-2018 by Ron Frederick <ronf@timeheart.net>. All rights reserved. This program and the accompanying materials are made available under
16e6ebfa8931Reject global and channel requests sent prior to auth being completed
2 files changed · +37 −2
asyncssh/connection.py+4 −0 modified@@ -746,6 +746,10 @@ def _recv_packet(self): elif (self._auth and MSG_USERAUTH_FIRST <= pkttype <= MSG_USERAUTH_LAST): processed = self._auth.process_packet(pkttype, seq, packet) + elif pkttype > MSG_USERAUTH_LAST and not self._auth_complete: + raise DisconnectError(DISC_PROTOCOL_ERROR, + 'Invalid request received before ' + 'authentication was complete') else: processed = self.process_packet(pkttype, seq, packet, pkttype not in
tests/test_connection.py+33 −2 modified@@ -130,6 +130,28 @@ def verify_and_decrypt(self, header, data, tag): return super().verify_and_decrypt(header, data + b'\xff', tag) +class _PreAuthRequestClient(asyncssh.SSHClient): + """Test sending a request prior to auth complete""" + + def __init__(self): + self._conn = None + + def connection_made(self, conn): + """Save connection for use later""" + + self._conn = conn + + def password_auth_requested(self): + """Attempt to execute a command before authentication is complete""" + + # pylint: disable=protected-access + self._conn._auth_complete = True + + self._conn.send_packet(MSG_GLOBAL_REQUEST, String(b'\xff'), + Boolean(True)) + return 'pw' + + class _InternalErrorClient(asyncssh.SSHClient): """Test of internal error exception handler""" @@ -970,8 +992,8 @@ def test_abort(self): yield from self.connect() -class _TestConnectionCloseDurngAuth(ServerTestCase): - """Unit test for connection close during long auth callback""" +class _TestDuringAuth(ServerTestCase): + """Unit test for operations during auth""" @classmethod @asyncio.coroutine @@ -988,6 +1010,15 @@ def test_close_during_auth(self): yield from asyncio.wait_for(self.connect(username='user', password=''), 0.5) + @asynctest + def test_request_during_auth(self): + """Test sending a request prior to auth complete""" + + with self.assertRaises(asyncssh.DisconnectError): + yield from self.create_connection(_PreAuthRequestClient, + username='user', + compression_algs=['none']) + @unittest.skipUnless(x509_available, 'X.509 not available') class _TestServerX509Self(ServerTestCase):
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-97cv-6pjf-5f9qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-7749ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/asyncssh/PYSEC-2018-108.yamlghsaWEB
- github.com/ronf/asyncssh/commit/16e6ebfa893167c7d9d3f6dc7a2c0d197e47f43aghsaWEB
- github.com/ronf/asyncssh/commit/c161e26cdc0d41b745b63d9f17b437f073bf7ba4ghsax_refsource_CONFIRMWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/mitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.