A ‘white hat' hacker going by the name of ‘King Cope' demonstrated the proof-of-concept (POC) attack earlier this week, writing in a blog post that while the encrypted service accepts six password tries within a two minute time-frame by default before breaking connection, this can be manipulated by hackers imposing their own limits.
King Cope, who says the vulnerability affects everything from the latest version of OpenSSH (6.9) to a 2007 release of the FreeBSD operating system, says hackers can potentially script up to 10,000 login attempts in the same session, without any slowdown from the server.
Crucially, the attack is only viable when Linux and BSD administrators are using usernames and passwords to log-in, which isn't set by default, according to ‘King Cope'. But Francis Turner, VP of security and research at ThreatSTOP told SCMagazineUK.com that sysadmins will often enable passwords because the alternative, public key cryptography “is too much hassle."
Other security experts have called this flaw (CVE-2015-5600) a feature, or implementation bug, rather than an outright vulnerability that needs patching. Sophos criticised the white hat for not responsibly disclosing it in a Naked Security blog post.
“This is an implementation flaw with OpenSSH, not to be confused with OpenSSL - which has had its fair share of problems lately, that can be abused with relative ease,” said Nettitude principal security consultant Chris Oakley in an email to SC.
“It is significant in so far as it's an interesting flaw; the attack vector is simple and abuses functionality that has existed within OpenSSL for a sustained period of time. Anecdotally, evidence does not suggest that this has been taken advantage of in the wild, though.
“On an individual level, the impact could be high; it's not inconceivable that remote root access could be achieved via this flaw. However, it is unlikely to have significant widespread impact because all but the most poorly configured servers will have one or more additional layers of defence, which will render this attack somewhere between inefficient and ineffective. Such defences include strong passwords (something that even the least security conscious admins are likely to employ), root access being disabled, intrusion prevention systems, key based authentication and – arguably most importantly – restricted access to the service at the firewall.
“Concerned individuals should ensure that at least some of those defences are adhered to as standard practice. Minimising the attack surface of a given system should be a primary goal in hardening it. To that end, most SSH services are not required by all users. Restricting service visibility to a small subset of clients is a really helpful strategy. Finally, there is a patch available, which should be applied with priority.”
Turner, whose firm ThreatSTOP curates a list of bad IPs and domains so companies can block these from their firewalls, as well as protecting the same customers from hackers scanning SSH for brute force attacks, added:
“The point of this vulnerability is that, as it turns out, normally when using OpenSSH you get three to six goes at password, and then you get told to go away, you can't login again. If you're lucky sometimes you get more than six goes.
“The problem with this vulnerability in OpenSSH is that a hacker or researcher could request the server to give 10,000 sessions…There's no real limit.”
Administrators authenticating with public and private keys should be safe since failed login attempts can be detected, and the brute-forcing IP addresses are banned. Experts encourage rolling out the patch when available (when v7.0 goes live in the next few weeks), reducing the log-in grace period to 20 to 30 seconds and limiting access to SSH in the firewall.
SSH (Secure Shell) is one of the most widely-used and important remote access tools in the world. OpenBSD's OpenSSH is the most widely-used implementation in the world and runs on almost all Linux and Unix systems.
The software can also be found on Apple's Mac OS X operating systems, and products from the likes of Cisco, HP, IBM, Dell and Juniper Networks.