Governance & Risk Management , Multi-factor & Risk-based Authentication , Next-Generation Technologies & Secure Development
Heads-Up: Patch 'Comically Bad' libSSH Flaw Now
Thankfully Most SSH - From BSD to Linux Distros to Macs - Is UnaffectedAttention admins: If you use libSSH - one of the open source flavors of Secure Shell, or SSH - patch immediately.
See Also: Safeguarding against GenAI Cyberthreats with Zero Trust
That advice follows the disclosure of a vulnerability that one security expert, Paul Ducklin of Sophos, terms "comically bad." But luckily, the flaw doesn't appear to affect the majority of Linux distributions, BSD, Mac or Windows.
"A vulnerability - a security vulnerability - that could let you log in to Linux servers without a password - that is the stuff of nightmares," says Ducklin, a senior security adviser for Sophos, in a video on the company's Naked Security blog. "That's the thing that keeps sysadmins awake at night."
SSH is the remote authentication login tool that's shipped with virtually all Linux or Unix systems. The bug affects libSSH versions 0.6 and above, and a patch is available here. The updated versions are 0.8.4 or 0.7.6.
Come On In
The bug isn't difficult to exploit, and it somewhat resembles the classic scene in the movie "Star Wars" where Obi-Wan Kenobi passes a Stormtrooper checkpoint by casually waving his hand and saying, "You don't need to see his identification."
Essentially, when a client logs into a server running libSSH, "the client pretends to be the server, and the server accepts that response as if it were the client," Ducklin says.
"The concern is that if somebody who knows how to exploit this if you have the vulnerable SSH server on your computer, they could be able to connect in and they won't be required to provide any authentication," Ducklin says.
A libSSH security advisory says the bug can be exploited if the client presents the server with a "SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication. The SSH2_MSG_USERAUTH_SUCCESS handler is intended only for communication from the server to the client."
Peter Winter-Smith of NCC Group discovered the bug. He warned on Twitter that his exploitation method might not be the only way to take advantage of the bug.
... but the entire state machine is at flaw here so there may be other, more subtle, methods of exploitation. So I most definitely recommend updating all libSSH services, even those not directly vulnerable to the auth bypass.
— Peter Winter-Smith (@peterwintrsmith) October 17, 2018
Check Home Routers
Thankfully, libSSH is the only SSH client affected by the bug, Ducklin says, and overall among SSH clients, it's a "minority product."
The most used one, OpenSSH, is unaffected, as well as PuTTy for Windows and Dropbear, a lighter SSH client that's used on wireless routers. libSSH2, which is unrelated to libSSH.
Robert Graham, head of offensive security research firm Errata Security, says his scans have found scant numbers of servers running libSSH.
SSH runs on lots of different ports. If you want to scan your enterprise for the libssh vulnerability, try using masscan with all ports:
— Robert Graham (@ErrataRob) October 17, 2018
masscan -p0-65535 --banners [your-address-range-here]
I use the address range 0.0.0.0/0, but you can use smaller ones. pic.twitter.com/GUqwfWMHmM
"It's just not that big of a deal," says information security expert Dan Kaminsky, who likens it to the 12-year-old telnet encryption bug found in Solaris 10 in 2007, in that it's "funny but rare" (see Treat Data Security Like Firefighting).
Ducklin says home routers usually have an implementation of SSH installed and may be used by ISPs for remote upgrades and fixes. So it's recommended to check if a home router might be running libSSH.
Generally, users should probably turn off whatever SSH client is running on a home router unless remote access is really needed. That eliminates the chance an attacker could login to the router and tamper with settings or worse.
Attackers may use device search services such as Censys or Shodan to discover what versions of software a device may be using, Ducklin says. "Unless you know that you really need remote admin, turn it off."
Executive Editor Mathew Schwartz also contributed to this story.