Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SSH Patches Serious Vulnerability in Its Enterprise SSH Server

SSH Communications Security has released a patch addressing a serious vulnerability in its commercial SSH server, a day after a researcher publicly disclosed the flaw online.

SSH Communications Security has released a patch addressing a serious vulnerability in its commercial SSH server, a day after a researcher publicly disclosed the flaw online.

Proof-of-concept code targeting a critical remote authentication bypass flaw in Linux and Unix versions of Tectia SSH server was posted on the Full Disclosure mailing list Monday. A commercial SSH server product by SSH Communications Security, Tectia SSH is used by some large enterprises for remote access.

The vulnerability existed only in password-based SSH deployments and did not affect other authentication types, Wei Chen, Metasploit Exploit Engineer at Rapid7, told SecurityWeek. During the login process, before the password authentication phase, the remote attacker can send a packet called “USERAUTH Password Change Request” to force the server to reset the password, Chen said. Instead of the server asking the user to enter a password to login, it’ll ask the user to change the password.

“All SSH bugs nowadays are unique because they are very rare, especially one that’s safe to use,” Chen said, noting that exploits often crash a service.

The newly-released exploit code lets the attacker open a full administrator shell without prompting for a password.

The security hole in the SSH USERAUTH CHANGE REQUEST feature was present in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX and Linux, when old-style password authentication is enabled, according to the CVE advisory (CVE-2012-5975). If exploited successfully, remote attackers could bypass authentication via a crafted session where the user entered blank passwords, said the advisory.

SSH Communications Security released patches for Tectia Server 6.3.3, 6.1.13, and 6.0.20 Tuesday afternoon. Updates for the HP-US PA-RISC for version 6.0.20 and SSH Tectia Server 6.2.6 will be released Wednesday, but the company recommended 6.2.x customers upgrade to 6.3.3 beforehand.

The fact that the scope of the vulnerability was limited to a specific version of the software, and affected only one authentication method, made it possible “to provide an immediate workaround until a fix could be delivered,” Jason Thompson, director of global marketing for SSH Communications Security, told SecurityWeek.

Advertisement. Scroll to continue reading.

The overall impact may be limited because there aren’t many enterprises running Tectia SSH in the first place. There are around 600 hosts running Tectia SSH, according to Rapid7 CSO HD Moore. Computer search engine Shodan identifies about 500, noted Chen. Considering that only Linux/Unix based servers are vulnerable, the actual number would be even smaller, Chen said.

The vulnerability highlights the need for secure shell to have centralized control to defend against growing threats, Thompson said . “Many organizations are still using decades-old processes to manage their secure shell environments, making it easier for hackers to take advantage of a zero-day vulnerability and much more difficult to implement the fix,” he said.

The flaws were disclosed by the same researcher who reported multiple vulnerabilities in MySQL over the weekend.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.