Francis Turner – VP Product Research and Security ThreatSTOP
A new vulnerability has been found in OpenSSH which is used by almost all Linux/BSD distributions, as well as many network infrastructure and security devices to allow “Secure Shell” or SSH connectivity for remote management. OpenSSH is not only utilized in open source systems, but is also commonly used in popular operating systems (OSs) such as Mac OS X, and Linux distributions including Ubuntu and Red Hat, as well as devices manufactured by IBM, HP, Sun, Cisco, Novell, Nokia, Juniper, Dell and many others.
SSH is typically used to log onto another computer over a network; execute commands on a remote computer or network device, such as a router or firewall; or securely transfer files from one computer to another over an encrypted channel or tunnel across the internet. SSH and the related SCP and SFTP services can use either a username and password for authentication, or a pre-shared key file to login to a remote host. Typically the SSH service is setup to allow both types of access initially, and for internal connectivity across a local area network (LAN), both are commonly acceptable.
However it has long been a recommended security policy for devices that are Internet accessible to disable the less secure username/password login capability once the required security keys have been created and configured, as third parties could gain access by simply brute force guessing the password. Unfortunately, following this recommendation is not always possible, for example shared systems such as multi-host servers that provide common services to multiple users and domains may be unable to require that all users have a key, as some Microsoft Windows SSH/SFTP tools do not support the use of keys.
The newly found vulnerability applies to any SSH device running the vulnerable versions of OpenSSH that allows for user/password logins as opposed to shared keys. An initial review of the vulnerability indicates that it appears to be common across nearly every device that has not yet had password logins specifically disabled because the OpenSSH code is very widely used and this bug appears to have been present for more than seven years.
The vulnerability allows an attacker to attempt many thousands of passwords for a user, instead of the default three to six attempts, before being blocked. What this means is that any vulnerable server or network device which allows user/password logins from the Internet can be remotely accessed if it has a known standard username (e.g. root or admin) and any even slightly popular password. Many networking devices are readily identified as such, and have “admin” as a standard username.
Organizations that have deployed a proactive security intelligence service are protected from the scanners that will be performing this attack. Any attempts by the attackers who are scanning organizations’ networks looking for vulnerable systems will be immediately reported to the vendor. Once reported, the IP address used to scan will be added to their database of known bad actors. All activity from that IP address—inbound and outbound communications—will be blocked going forward. This enables the vendor to protect an organization’s sensitive data by blocking any attempts at data exfiltration via the IP address and any domains or URLs that use the server or host with that IP address.
Security teams can also look up IPs that they suspect are being used for scanning at: