Secure Shell (SSH) users should check their installations of the application and determine if they are susceptible...
to a spate of recently announced vulnerabilities.
The flaws can pose a denial-of-service threat to users and could allow remote attackers to execute code on vulnerable systems. Users should take notice because most client-side versions are vulnerable, said Tas Giakouminakis, chief technology officer of Rapid 7, a New York-based security firm that found the vulnerabilities.
An advisory from the Computer Emergency Response Team of Carnegie Mellon University in Pittsburgh said the flaws include:
- Incorrect length fields (specified length field does not match the actual length of the input)
- Lists with empty elements or multiple separators
- Buffer overflows (length field, if present, is consistent with the actual length of buffer)
- Null characters in strings (which trigger conflicts between delimiter-based and length-based strings)
SSH is a protocol that provides secure communications from a client to a server using encryption, cryptographic host authentication and integrity protection. It has both a server- and client-side component.
Not all server-side software is vulnerable, Giakouminakis said. Users should check the CERT advisory for more information about their specific implementations. Patches should be supplied by vendors. As a workaround, users can limit access to only trusted hosts and networks with firewalls or other packet-screening systems. Some SSH servers can restrict access based on IP addresses. Another way of doing this is with TCP wrappers or other related technology. SSH clients can reduce the risk of attacks by only connecting to trusted servers by IP address.
The flaws found by Rapid 7 aren't the protocol's first security issues. It made the SANS/FBI Top 20 list of most critical Internet security vulnerabilities this year because of previous security concerns. "Although SSH is vastly more secure than the telnet, ftp, and R-command programs it is intended to replace, there have been multiple flaws found," the list states.
Rapid 7 found the vulnerabilities using a suite of tests it developed to examine elements of SSH. The tests look for the way SSH handles invalid or incorrect packet and string lengths, padding and padding length and malformed strings, in addition to invalid algorithms.
Rapid 7 found buffer overflows occurring before any user authentication took place. Such flaws are particularly dangerous because SSH servers tend to run with system privileges on Windows machines and root privileges on Unix boxes. On the client side, damage would be limited because any attack-submitted code would only run with the privileges assigned to the SSH program.
Even if an attacker can't run code, they could exploit the flaws and crash the SSH program, causing a denial of service. "This is still pretty bad as a server would go down," Giakouminakis said.