Thankfully Most SSH – from BSD to Linux Distros To Macs – Is Unaffected
Attention admins: If you use libSSH – one of the open source flavors of Secure Shell (SSH) – patch immediately.
That advice follows the disclosure of vulnerability that one expert, Paul Ducklin of Sophos, terms “comically bad.” But luckily, the flaw wouldn’t appear to affect the majority of Linux distributions, BSD, Mac or Windows.
“A vulnerability – a security vulnerability – that could let you login to Linux servers without a password – that is the stuff of nightmares,” says Ducklin, a senior security advisor for Sophos, in a video on the company’s Naked Security blog. “That’s the thing that keeps sysadmins awake at night.”
SSH is short for Secure Shell, the remote authentication login tool that’s shipped with virtually all Linux or Unix systems. The bug affects libSSH versions 0.6 and above, and a patch is available here. The updated versions are 0.8.4 or 0.7.6.
Come On In
The bug isn’t hard to exploit, and somewhat resembles the classic scene in the movie “Star Wars” where Obi-Wan Kenobi passes a Stormtrooper checkpoint by casually waving his hand and saying, “You don’t need to see his identification.”
Essentially, when a client logs into a server running libSSH, “the client pretends to be the server, and the server accepts that response as if it were the client,” Ducklin says.
“The concern is that somebody who knows how to exploit this if you have the vulnerable SSH server on your computer, they could be able to connect in and they won’t be required to provide any authentication,” Ducklin says.
A libSSH security advisory says the bug can be exploited if the client presents the server with a “SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication.”
“The SSH2_MSG_USERAUTH_SUCCESS handler is intended only for communication from the server to the client,” according to the advisory.
… but the entire state machine is at flaw here so there may be other, more subtle, methods of exploitation. So I most definitely recommend updating all libSSH services, even those not directly vulnerable to the auth bypass.
— Peter Winter-Smith (@peterwintrsmith) October 17, 2018
Check Home Routers
Thankfully, libSSH is the only SSH client affected by the bug, Ducklin says, and overall among SSH clients, it’s a “minority product,” Ducklin says.
The most used one, OpenSSH, is fine, as well as PuTTy for Windows and Dropbear, which is a lighter SSH client that’s used on wireless routers. libSSH2 – which is unrelated to libSSH – is also unaffected.
Robert Graham, head of offensive security research firm Errata Security, says his scans have found scant numbers of servers running libSSH.
SSH runs on lots of different ports. If you want to scan your enterprise for the libssh vulnerability, try using masscan with all ports:
masscan -p0-65535 –banners [your-address-range-here]
I use the address range 0.0.0.0/0, but you can use smaller ones. pic.twitter.com/GUqwfWMHmM
— Robert Graham (@ErrataRob) October 17, 2018
“It’s just not that big of a deal,” says information security expert Dan Kaminsky, who likens it to the 12-year-old telnet encyrption bug found in Solaris 10 in 2007, in that it’s “funny but rare” (see Treat Data Security Like Firefighting).
Ducklin says home routers usually have an implementation of SSH installed and may be used by ISPs for remote upgrades and fixes. So it’s recommended to check if a home router might be running libSSH.
Generally, users should probably turn off whatever SSH client is running on a home router unless remote access is really needed. That eliminates the chance an attacker could login to the router and tamper with settings or worse.
“Unless you know that you really need remote admin, turn it off,” Ducklin says.
Executive Editor Mathew Schwartz also contributed to this story.
Based Blockchain Network