Governance , Multi-factor & Risk-based Authentication , Next-Generation Technologies & Secure Development

Heads-Up: Patch 'Comically Bad' libSSH Flaw Now

Thankfully Most SSH - From BSD to Linux Distros to Macs - Is Unaffected
Heads-Up: Patch 'Comically Bad' libSSH Flaw Now
Few servers run libSSH, although the ones that do largely appear to be unpatched, according to internet scans conducted by Robert Graham.

Attention admins: If you use libSSH - one of the open source flavors of Secure Shell, or SSH - patch immediately.

See Also: Live Webinar | Empowering Your Human Firewall: The Art and Science of Secure Behavior

That advice follows the disclosure of a vulnerability that one security expert, Paul Ducklin of Sophos, terms "comically bad." But luckily, the flaw doesn't appear to affect the majority of Linux distributions, BSD, Mac or Windows.

"A vulnerability - a security vulnerability - that could let you log in to Linux servers without a password - that is the stuff of nightmares," says Ducklin, a senior security adviser for Sophos, in a video on the company's Naked Security blog. "That's the thing that keeps sysadmins awake at night."

Paul Ducklin of Sophos

SSH is the remote authentication login tool that's shipped with virtually all Linux or Unix systems. The bug affects libSSH versions 0.6 and above, and a patch is available here. The updated versions are 0.8.4 or 0.7.6.

Come On In

The bug isn't difficult to exploit, and it somewhat resembles the classic scene in the movie "Star Wars" where Obi-Wan Kenobi passes a Stormtrooper checkpoint by casually waving his hand and saying, "You don't need to see his identification."

Essentially, when a client logs into a server running libSSH, "the client pretends to be the server, and the server accepts that response as if it were the client," Ducklin says.

"The concern is that if somebody who knows how to exploit this if you have the vulnerable SSH server on your computer, they could be able to connect in and they won't be required to provide any authentication," Ducklin says.

A libSSH security advisory says the bug can be exploited if the client presents the server with a "SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication. The SSH2_MSG_USERAUTH_SUCCESS handler is intended only for communication from the server to the client."

Peter Winter-Smith of NCC Group discovered the bug. He warned on Twitter that his exploitation method might not be the only way to take advantage of the bug.

Check Home Routers

Thankfully, libSSH is the only SSH client affected by the bug, Ducklin says, and overall among SSH clients, it's a "minority product."

The most used one, OpenSSH, is unaffected, as well as PuTTy for Windows and Dropbear, a lighter SSH client that's used on wireless routers. libSSH2, which is unrelated to libSSH.

Robert Graham, head of offensive security research firm Errata Security, says his scans have found scant numbers of servers running libSSH.

"It's just not that big of a deal," says information security expert Dan Kaminsky, who likens it to the 12-year-old telnet encryption bug found in Solaris 10 in 2007, in that it's "funny but rare" (see Treat Data Security Like Firefighting).

Ducklin says home routers usually have an implementation of SSH installed and may be used by ISPs for remote upgrades and fixes. So it's recommended to check if a home router might be running libSSH.

Generally, users should probably turn off whatever SSH client is running on a home router unless remote access is really needed. That eliminates the chance an attacker could login to the router and tamper with settings or worse.

Attackers may use device search services such as Censys or Shodan to discover what versions of software a device may be using, Ducklin says. "Unless you know that you really need remote admin, turn it off."

Executive Editor Mathew Schwartz also contributed to this story.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.