[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] SSH Secure Shell Authentication Bypass Vulnerability
- Subject: [cobalt-security] SSH Secure Shell Authentication Bypass Vulnerability
- From: "Adam" <adam@xxxxxxxx>
- Date: Wed, 25 Jul 2001 00:05:58 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Internet Security Systems Security Alert
July 24, 2001
SSH Secure Shell Authentication Bypass Vulnerability
Synopsis:
SSH Communications Security, Inc. has reported a serious vulnerability
in the SSH Secure Shell application that may allow remote attackers to
gain access to affected systems without a valid password. SSH is
typically used as a secure alternative to "telnet" for terminal
communications. This vulnerability may allow remote attackers to
compromise even the most heavily "hardened" systems.
Description:
SSH Communications Security, Inc. has released detailed information
describing this vulnerability. SSH is a client-server technology that
mimics the functionality of telnet and provides enhanced security
features, including strong encryption and support for many forms of
authentication.
A vulnerability exists in the way the SSH server daemon (sshd) parses
locked accounts. Administrators "lock" accounts by deleting the password
hash in the Unix password file and replacing it with a "*" character,
"!!", or "NP" (meaning No Password). Any account without a valid
password hash is considered locked, thereby preventing access with that
account. The vulnerable version of SSH parses these characters
incorrectly and in some cases will allow a remote attacker access to the
system with any password.
System administrators routinely lock accounts instead of deleting them
as a means to disable the account. These locked accounts may be used to
compromise the target system. The threat is compounded because
administrative accounts, such as "lp", "gdm", or "adm", are locked by
default and may also be used to compromise a vulnerable system.
Remote attackers may also take advantage of the banner feature included
in SSH to identify vulnerable systems. The SSH daemon reports its
version number to the client in the form of a banner. Many tools exist
in the wild that scan networks and report SSH version numbers. ISS
X-Force suspects that scanning tools will soon be available to
automatically scan and compromise machines affected by this
vulnerability. This vulnerability is a candidate for integration into a
"worm" because the vulnerability is lightweight and relatively easy to
exploit.
Affected Versions:
SSH Secure Shell 3.0.0 for Unix (if password authentication is used)
Windows versions are not affected by this vulnerability.
Recommendations:
Detailed exploit information has been released publicly, and ISS X-Force
urges system administrators to upgrade to the latest version of SSH
Secure Shell made available by SSH Communications Security, Inc. SSH
Communications Security, Inc. has announced a new version of SSH that
contains a fix for this vulnerability. ISS X-Force recommends that all
SSH Secure Shell 3.0.0 users upgrade to SSH Secure Shell 3.0.1
immediately. The new version is available at the following addresses:
http://commerce.ssh.com
ftp://ftp.ssh.com/pub/ssh
ISS Internet Scanner Vulnerability Assessment customers may use the
following Flex Check to detect vulnerable SSH installations. The Flex
Check is available at the following URL:
https://www.iss.net/cgi-bin/download/customer/download_product.cgi
The next X-Press Update for Internet Scanner will include a check for
this vulnerability. In addition, a signature for this vulnerability will
be available for RealSecure Network Sensor in an upcoming X-Press Update.
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2001-0553 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
______
About Internet Security Systems (ISS)
Internet Security Systems is a leading global provider of security
management solutions for the Internet, protecting digital assets and
ensuring safe and uninterrupted e-business. With its industry-leading
intrusion detection and vulnerability assessment, remote managed
security services, and strategic consulting and education offerings, ISS
is a trusted security provider to more than 8,000 customers worldwide
including 21 of the 25 largest U.S. commercial banks and the top 10 U.S.
telecommunications companies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security
Systems web site at www.iss.net or call 888-901-7477.
Copyright (c) 2001 Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of this Alert in any other medium excluding electronic medium, please
e-mail xforce@xxxxxxx for permission.
Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of or
in connection with the use or spread of this information. Any use of
this information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force
xforce@xxxxxxx of Internet Security Systems, Inc.s