A recently disclosed flaw in the OpenSSH software, used to remotely access Internet-facing computers and servers around the world allows attackers the ability to guess millions of passwords simultaneously, with no lock-out or restriction time, leaving OpenSSH vulnerable to password cracking, one security researcher warned.
Out-of-the-Box OpenSSH will commonly only allow three to six login attempts before closing a connection, a researcher who goes by the name moniker KingCope wrote in a blog post last week. The vulnerability uncovered allows a potential attacker to perform as many authentication requests as they desire during a single login window, which lies available for only two minutes at a time.
As a result, attackers who guess the most commonly used passwords and make use of large password lists face much better chances at finding success, as the vulnerability allows them to try thousands of choices at one time.
In KingCope’s post, he explained:
A simple way to exploit the bug is to execute this command:
ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` targethost
This will effectively allow up to 10000 password entries limited by the login grace time setting.
The crucial part is that if the attacker requests 10000 keyboard-interactive devices openssh will gracefully execute the request and will be inside a loop to accept passwords until the specified devices are exceeded.
In KingCope’s post he includes the exploit code that works against the latest version of OpenSSH, version 6.9. KingCope continued in another post saying the exploit has been present in nearly every version of OpenSSH, it was even found present in a 2007 release of the FreeBSD operating system.
Some view the OpenSSH vulnerability as a mild flaw, but that’s assuming all OpenSSH servers are configured using a cryptographic key for authentication. If this were the case, only computers holding the private key are able to access the Internet-connected servers. Alongside that, servers should already be configured to limit the number of login attempts, and that single countermeasure could banish the 8-year-old flaw.
Yet, the vulnerability retains an immeasurable amount of power. Brute-force login attacks against SSH-enabled systems is still commonplace, but this stresses, yet again, that a majority of Internet-facing servers are setup insecurely and remain vulnerable to the OpenSSH vulnerability.
Brute-force attacks still remain a very prevalent threat, yet servers configured properly will have no issue against deflecting such an attack.
Those who rely on OpenSSH should ensure that they’re using a cryptographic key pair that’s at least 2,048 bits in strength, Ars Technica reported. You should also ensure the private key is safeguarded by a strong and complex password. Also, servers should be properly configured to deflect against such type of attacks. However, assuming OpenSSH developers are working to fix the flaw, users should keep their OpenSSH version up-to-date with the latest patch.