Patch Management

Thankfully Most SSH – from BSD to Linux Distros To Macs – Is Unaffected

Heads-Up: Patch 'Comically Bad' libSSH Flaw Now  - heads up patch comically bad libssh flaw now showcase image 2 a 11626 - Patch ‘Comically Bad’ libSSH Flaw Now
Few servers run libSSH, although the ones that do largely appear to be unpatched, according to internet scans conducted by Robert Graham.

Attention admins: If you use libSSH – one of the open source flavors of Secure Shell (SSH) – patch immediately.

See Also: Live Webinar | Don’t Break the Bank: Achieve Compliance Quickly and at Scale

That advice follows the disclosure of vulnerability that one expert, Paul Ducklin of Sophos, terms “comically bad.” But luckily, the flaw wouldn’t appear to affect the majority of Linux distributions, BSD, Mac or Windows.

“A vulnerability – a security vulnerability – that could let you login to Linux servers without a password – that is the stuff of nightmares,” says Ducklin, a senior security advisor for Sophos, in a video on the company’s Naked Security blog. “That’s the thing that keeps sysadmins awake at night.”

- ducklin - Patch ‘Comically Bad’ libSSH Flaw Now
Paul Ducklin of Sophos.

SSH is short for Secure Shell, the remote authentication login tool that’s shipped with virtually all Linux or Unix systems. The bug affects libSSH versions 0.6 and above, and a patch is available here. The updated versions are 0.8.4 or 0.7.6.

Come On In

The bug isn’t hard to exploit, and somewhat resembles the classic scene in the movie “Star Wars” where Obi-Wan Kenobi passes a Stormtrooper checkpoint by casually waving his hand and saying, “You don’t need to see his identification.”

Essentially, when a client logs into a server running libSSH, “the client pretends to be the server, and the server accepts that response as if it were the client,” Ducklin says.

“The concern is that somebody who knows how to exploit this if you have the vulnerable SSH server on your computer, they could be able to connect in and they won’t be required to provide any authentication,” Ducklin says.

A libSSH security advisory says the bug can be exploited if the client presents the server with a “SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication.”

“The SSH2_MSG_USERAUTH_SUCCESS handler is intended only for communication from the server to the client,” according to the advisory.

Peter Winter-Smith of NCC Group discovered the bug. He warned on Twitter that his exploitation method might not be the only way to take advantage of the bug.

Check Home Routers

Thankfully, libSSH is the only SSH client affected by the bug, Ducklin says, and overall among SSH clients, it’s a “minority product,” Ducklin says.

The most used one, OpenSSH, is fine, as well as PuTTy for Windows and Dropbear, which is a lighter SSH client that’s used on wireless routers. libSSH2 – which is unrelated to libSSH – is also unaffected.

Robert Graham, head of offensive security research firm Errata Security, says his scans have found scant numbers of servers running libSSH.

“It’s just not that big of a deal,” says information security expert Dan Kaminsky, who likens it to the 12-year-old telnet encyrption bug found in Solaris 10 in 2007, in that it’s “funny but rare” (see Treat Data Security Like Firefighting).

Ducklin says home routers usually have an implementation of SSH installed and may be used by ISPs for remote upgrades and fixes. So it’s recommended to check if a home router might be running libSSH.

Generally, users should probably turn off whatever SSH client is running on a home router unless remote access is really needed. That eliminates the chance an attacker could login to the router and tamper with settings or worse.

Attackers may use device search services such as Censys or Shodan to discover what versions of software a device may be using, Ducklin says.

“Unless you know that you really need remote admin, turn it off,” Ducklin says.

Executive Editor Mathew Schwartz also contributed to this story.

Source link
Based Blockchain Network


Please enter your comment!
Please enter your name here