Another critical SSH vulnerability uncovered

Red Squirrel

No Lifer
May 24, 2003
67,990
12,404
126
www.anyf.ca
This is pretty serious for anyone that may have a web server with public facing SSH. Might be time to start considering some sort of alternate to simply leaving it wide open. Maybe port knocking or something or a web based authentication form that opens up the port to your IP only.

 

ch33zw1z

Lifer
Nov 4, 2004
38,046
18,400
146
OpenSSH is a suite of software tools that enable secure remote login using the SSH encryption protocol. It is included in all glibc-based Linuxsystems, which means virtually every major distribution except for Alpine Linux, which uses libc. BSD systems are not affected. Qualys says it does not yet know the extent to which macOS or Windows operating systems may be impacted.

Using the Censys and Shodan search engines, TRU researchers identified over 14 million potentially vulnerable OpenSSH server instances exposed to the internet. Among Qulays customers, there are around 700,000 such instances, representing 31% of the customer base.

OpenSSH versions earlier than 4.4p1 (released 2006) are vulnerable unless they've been patched for CVE-2006-5051 and CVE-2008-4109. Versions 8.5p1 (released March 2021) up to, but not including, 9.8p1 (released 1st July, 2024) are also affected, owing to the accidental removal of a critical component. The vulnerability has been fixed in version 9.8p1.

Vendors are expected to release their own patches shortly. In the meantime there are mitigating measures that organisations can take.

"If sshd can't be updated or recompiled, set LoginGraceTime to 0 in the config file," the researchers recommend. "This exposes sshd to a denial of service by using up all MaxStartups connections, but it prevents the remote code execution risk."

Computing has contacted Qualys to ask whether any exploitations of regreSSHion have been observed in the wild.

Weird, I’m using ssh 2.0 like most people, but i still gotta check the version
 

Red Squirrel

No Lifer
May 24, 2003
67,990
12,404
126
www.anyf.ca
I would hope that people are not actually exposing SSH to the internet on their router though if yes that's a big yikes no cap. Even if no vulnerability, if there is not something like fail2ban and there is no monitoring on login attempts, someone will eventually get in. At least with a web server it's something that tends to be kept updated and is monitored properly etc. Routers tend to be more set and forget.

This vulnerability and the past ones have made me realize I need to rethink having SSH facing the internet on my web server though. I might write an application that listens on a different port and I need to authenticate through that application first then it would temporarily open up the SSH port only to my IP. Basically a 2nd authentication layer. I'd build it so it's easy enough to automate, so that the automatic rsync backups can still run.
 

Red Squirrel

No Lifer
May 24, 2003
67,990
12,404
126
www.anyf.ca
VPN is a royal pita to setup, and I don't know if it would really be any more secure as it's even more complex so it has more attack surface. Ex: heartbleed. I think the only way to be safe is to not have anything management related that's wide open and set it up so you have to trigger it to open up and only for your IP.
 

ch33zw1z

Lifer
Nov 4, 2004
38,046
18,400
146
VPN is a royal pita to setup, and I don't know if it would really be any more secure as it's even more complex so it has more attack surface. Ex: heartbleed. I think the only way to be safe is to not have anything management related that's wide open and set it up so you have to trigger it to open up and only for your IP.

My router makes VPN pretty easy to setup and to use. My password manager easily generates passwords up to 64 characters.

As far as SSH goes, if you’re into Linux then setup 2FA for extra layer of protection.

 
  • Like
Reactions: lantis3