SSH glitch gives 'skeleton key' to networks

A patch for the Unix remote management shell has been re-released after suggestions attackers have for months been exploiting the vulnerability to gain access to systems

A critical security flaw in SSH has been revealed that threatens servers worldwide.

SSH is a widely used encrypted remote management shell for Unix, Linux and BSD platforms. Experts say attackers have been exploiting the vulnerability to gain access to systems illegally for months.

What started as quiet mumblings and rumours turned into screaming warnings this week as the security community slowly learned of the threat. Chief hacking officer of US-based eEye Digital Security told ZDNet Australia by phone the vulnerability should be taken very seriously. "It's pretty close to a skeleton key to most networks," he said.

It's not uncommon for vulnerabilities in Unix-style systems to be exploited for months by the underground community, Maiffret said. "It's definitely happened in the past with SSH vulnerabilities... it's definitely a recurring theme for Unix vulnerabilities."

Security researcher Mark "Simple Nomad" Loveless, who works with BindView Corporation, doesn't doubt an exploit to the vulnerability is "in the wild". "It sounds like someone's got the exploit... a lot of people are claiming they have it, but it looks like some people actually do," he said during a phone interview.

He says that all versions of OpenSSH running on all distributions of Linux and BSD are affected, excluding those that have patched very recently to version 3.7.1. Loveless says there's actually two vulnerabilities in the software. "[Version] 3.7 was released early this morning, and then 3.7.1 was released about a couple of hours ago," he said. "The thing was just the way the two bugs work.... It looks like the first one was probably fixed with 3.7 and the other one was fixed with 3.7.1."

There are, however, suggestions that some mitigating factors may apply. "There are rumours going around that you need to allow remote root SSH login for the exploit to work," he said. "That's the thing, there are all these rumours going around."

Loveless says people should patch to 3.7.1 as soon as they can. "Exploit code will surface within hours," he warned.

CERT has released an advisory, but it was released prior to the release of the 3.7.1 version upgrade. The OpenSSH patch and advisory has been updated. "All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management errors. It is uncertain whether these errors are potentially exploitable, however, we prefer to see bugs fixed proactively," it reads.