Security Experts:

SSH Patches Serious Vulnerability in Its Enterprise SSH Server

SSH Communications Security has released a patch addressing a serious vulnerability in its commercial SSH server, a day after a researcher publicly disclosed the flaw online.

Proof-of-concept code targeting a critical remote authentication bypass flaw in Linux and Unix versions of Tectia SSH server was posted on the Full Disclosure mailing list Monday. A commercial SSH server product by SSH Communications Security, Tectia SSH is used by some large enterprises for remote access.

The vulnerability existed only in password-based SSH deployments and did not affect other authentication types, Wei Chen, Metasploit Exploit Engineer at Rapid7, told SecurityWeek. During the login process, before the password authentication phase, the remote attacker can send a packet called "USERAUTH Password Change Request" to force the server to reset the password, Chen said. Instead of the server asking the user to enter a password to login, it'll ask the user to change the password.

"All SSH bugs nowadays are unique because they are very rare, especially one that's safe to use," Chen said, noting that exploits often crash a service.

The newly-released exploit code lets the attacker open a full administrator shell without prompting for a password.

The security hole in the SSH USERAUTH CHANGE REQUEST feature was present in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX and Linux, when old-style password authentication is enabled, according to the CVE advisory (CVE-2012-5975). If exploited successfully, remote attackers could bypass authentication via a crafted session where the user entered blank passwords, said the advisory.

SSH Communications Security released patches for Tectia Server 6.3.3, 6.1.13, and 6.0.20 Tuesday afternoon. Updates for the HP-US PA-RISC for version 6.0.20 and SSH Tectia Server 6.2.6 will be released Wednesday, but the company recommended 6.2.x customers upgrade to 6.3.3 beforehand.

The fact that the scope of the vulnerability was limited to a specific version of the software, and affected only one authentication method, made it possible "to provide an immediate workaround until a fix could be delivered," Jason Thompson, director of global marketing for SSH Communications Security, told SecurityWeek.

The overall impact may be limited because there aren't many enterprises running Tectia SSH in the first place. There are around 600 hosts running Tectia SSH, according to Rapid7 CSO HD Moore. Computer search engine Shodan identifies about 500, noted Chen. Considering that only Linux/Unix based servers are vulnerable, the actual number would be even smaller, Chen said.

The vulnerability highlights the need for secure shell to have centralized control to defend against growing threats, Thompson said . "Many organizations are still using decades-old processes to manage their secure shell environments, making it easier for hackers to take advantage of a zero-day vulnerability and much more difficult to implement the fix," he said.

The flaws were disclosed by the same researcher who reported multiple vulnerabilities in MySQL over the weekend.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.