 |
| Used OpenSSH Opens Servers To Password Cracking |
Under normal circumstances, OpenSSH will allow just three or six login attempts before closing a connection, the researcher who goes by the moniker KingCope wrote in a blog post published last week. The recently discovered vulnerability, however, allows attackers to perform thousands of authentication requests during an open login window, which by default lasts two minutes. As a result, attackers who cycle through the most commonly used passwords face much better odds of finding the right one, since the vulnerability allows them to try many more candidates than they otherwise would.
KingCope wrote:
"A simple way to exploit the bug is to execute this command:
ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'`targethost
This will effectively allow up to 10000 password entries limited by the login grace time setting.
The crucial part is that if the attacker requests 10000 keyboard-interactive devices openssh will gracefully execute the request and will be inside a loop to accept passwords until the specified devices are exceeded."
The post includes exploit code that works with the latest release of OpenSSH, which is version 6.9. In a separate post, KingCope said his exploit worked against a version of OpenSSH included in a 2007 release of the FreeBSD operating system. OpenSSH developers didn't respond to an e-mail seeking comment for this article.
In some respects, the severity of vulnerability can be viewed as mild. But that assumes OpenSSH users are using a cryptographic key for authentication. Under such an arrangement, only computers with the private key are able to access the Internet-facing server. On top of that, servers themselves should be configured to limit the number of login attempts, and that measure should also go a long way toward making exploitation impractical.
In other respects, the vulnerability has the potential to create serious problems. Brute-force password attacks against SSH-enabled machines are a regular event, suggesting that enough servers remain vulnerable to password guessing to make it worth attackers' time.
"Sadly, SSH brute-force attacks are still a credible threat on the Internet, so this vulnerability will make those attacks easier and more efficient," Jon Oberheide, CTO of two-factor authentication provider Duo Security, told Ars. "It's one of those bugs where the well-configured servers won't be affected at all, but the poorly configured servers that were already at risk due to low-throughput brute-force attacks are now at even greater risk."
People who rely on OpenSSH should take the time to ensure that they're using a cryptographic key pair that's at least 2,048 bits in length. They should also make sure the private key is protected by a strong password. And again, users should ensure servers are configured to use rate limiting. Still, assuming OpenSSH developers fix the bug, users should install the patch out of an abundance of caution.
