SSH Communications Security, a Finnish company, reported Monday that the latest edition of its SSH Secure Shell software, version 3.0.0, released June 21, can let an attacker gain control over some Unix or Linux computers.
SSH is software designed to secure the text-based user interface--or "shell"--people use to remotely log in to computers and send them commands. SSH checks people's passwords and lets authorized individuals open and use the shell by way of an encrypted communications channel. The encryption prevents outsiders from intercepting the commands sent from computer to computer.
As a result of the vulnerability, though, SSH lets anyone remotely log in to an account that uses a two-character password by simply leaving the password field blank and hitting Enter. A two-character password is not likely for most active users' accounts, but it's common for several administrative accounts for functions such as controlling printers or for accounts that the system administrator has locked to temporarily disable access, said Dan Ingevaldson, leader of Internet Security Systems' X-Force research and development team.
"In certain cases, users could log in to accounts with any password," said Al David, senior director for technical services at SSH. That initial access then could serve as a launching point for a second attack that could give the attacker complete control over the system.
SSH released a patch, version 3.0.1, which can be downloaded from the company's FTP site.
The security hole is a strong risk, Ingevaldson said, though it's ameliorated by the fact that SSH doesn't ship by default with any of the vulnerable operating systems.
"It's a pretty big bug. Secure Shell is a trusted" software tool in very widespread use--though not necessarily SSH's version. "I'm quite positive there are scripting utilities being written or used right now" to scan for the vulnerability and take advantage of it, Ingevaldson said.
Security vulnerabilities, while an ages-old problem for computer administrators, are gaining importance as the Internet grows in popularity, the number of networked computers increases, and companies come to depend on those computers. Most recently, many Windows systems were susceptible to the Code Red worm, which spread so far that it tried to infect every single Internet address more than 20 times on average.
There are some caveats that reduce the severity of the SSH problem, though, chief among them the fact that version 3.0.0 is relatively new.
A hurdle for would-be attackers is that administrative utilities such as the one that controls printers typically can't open a shell for issuing commands to the computer, said Dave Wreski, chief technology officer of Guardian Digital. Those programs interact directly, without need of a user interface.
But attackers still could take control of the system, said Stephanie Thomas, an SSH technical support specialist. "The belief is that even without a shell, this could be exploited," she said.
Chairman Tatu Ylonen founded SSH in 1995 when he launched a software project to replace Unix's "telnet" command to log in to remote computers. SSH's encrypted communications channel shields commands sent in the open, as with telnet.
Early versions of the software were freely available and became the basis of other projects such as OpenSSH, which ships with several versions of Linux.
SSH heard about the problem late Wednesday and began notifying customers Thursday. However, the company said, many people have downloaded the software because it may be used free for academic or other noncommercial uses. In addition, the SSH license permits free use on freely available operating systems such as Linux and FreeBSD.
In addition to the security problem with version 3.0.0, HP-UX computers running SSH version 2.3 or 2.4 are vulnerable if an administrator has created an account with a two-character password--something the operating system wouldn't do on its own.
Versions of Linux that are vulnerable include those from Red Hat, Caldera International, SuSE and Debian, the company and experts said.