Security Experts:

Connect with us

Hi, what are you looking for?



SSH Patches Serious Vulnerability in Its Enterprise SSH Server

SSH Communications Security has released a patch addressing a serious vulnerability in its commercial SSH server, a day after a researcher publicly disclosed the flaw online.

SSH Communications Security has released a patch addressing a serious vulnerability in its commercial SSH server, a day after a researcher publicly disclosed the flaw online.

Proof-of-concept code targeting a critical remote authentication bypass flaw in Linux and Unix versions of Tectia SSH server was posted on the Full Disclosure mailing list Monday. A commercial SSH server product by SSH Communications Security, Tectia SSH is used by some large enterprises for remote access.

The vulnerability existed only in password-based SSH deployments and did not affect other authentication types, Wei Chen, Metasploit Exploit Engineer at Rapid7, told SecurityWeek. During the login process, before the password authentication phase, the remote attacker can send a packet called “USERAUTH Password Change Request” to force the server to reset the password, Chen said. Instead of the server asking the user to enter a password to login, it’ll ask the user to change the password.

“All SSH bugs nowadays are unique because they are very rare, especially one that’s safe to use,” Chen said, noting that exploits often crash a service.

The newly-released exploit code lets the attacker open a full administrator shell without prompting for a password.

The security hole in the SSH USERAUTH CHANGE REQUEST feature was present in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX and Linux, when old-style password authentication is enabled, according to the CVE advisory (CVE-2012-5975). If exploited successfully, remote attackers could bypass authentication via a crafted session where the user entered blank passwords, said the advisory.

SSH Communications Security released patches for Tectia Server 6.3.3, 6.1.13, and 6.0.20 Tuesday afternoon. Updates for the HP-US PA-RISC for version 6.0.20 and SSH Tectia Server 6.2.6 will be released Wednesday, but the company recommended 6.2.x customers upgrade to 6.3.3 beforehand.

The fact that the scope of the vulnerability was limited to a specific version of the software, and affected only one authentication method, made it possible “to provide an immediate workaround until a fix could be delivered,” Jason Thompson, director of global marketing for SSH Communications Security, told SecurityWeek.

The overall impact may be limited because there aren’t many enterprises running Tectia SSH in the first place. There are around 600 hosts running Tectia SSH, according to Rapid7 CSO HD Moore. Computer search engine Shodan identifies about 500, noted Chen. Considering that only Linux/Unix based servers are vulnerable, the actual number would be even smaller, Chen said.

The vulnerability highlights the need for secure shell to have centralized control to defend against growing threats, Thompson said . “Many organizations are still using decades-old processes to manage their secure shell environments, making it easier for hackers to take advantage of a zero-day vulnerability and much more difficult to implement the fix,” he said.

The flaws were disclosed by the same researcher who reported multiple vulnerabilities in MySQL over the weekend.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.