OpenSSH Exploit, Rumor or Not…

Wednesday, 8. July 2009

Well, it’s that time of year again. We are heading toward the Black Hat conference the end of July, and the net is a buzz with exploits and rumors of exploits.

One such rumor has to do with a package that is the backbone of network and server management on the web. OpenSSH or “Secure SHell” is used by every *nix administrator in the world to manage servers. The thought of an exploit against this package sends shivers down every administrator’s spine.

At this point, there is no hard evidence to confirm that this bug actually exists. Most of the posts seem to point to the problem being isolated to older versions of OpenSSH. The current evidence at this time consists of a couple logs showing the exploit being ran against what appears to be a Red Hat box running OpenSSH 4.3.

Here is a brief summary of what everyone believes to be going on:

  1. The limited information available points to only older verisons of OpenSSH being affected.
  2. Logs show the exploit being ran against what appear to be Red Hat servers.
  3. Although there are quite a few people out there saying they know of systems compromised by this exploit, THERE ARE NO CONFIRMED CASES AT THIS TIME!

None of the system packagers are commenting about this. When Red Hat was asked by The “H” if they had any reports of the exploit, they said “They are aware of the rumors and are watching the situation with the aim of collecting more information”.

So, what do you do? Do you just wait for the distribution maintainers to find, fix, and release the fix to this? How do you know if you are exposed, and how would you know if someone actually got onto your system?

Well first off, remember what the Hitchhiker’s guide has on it’s front cover: DON’T PANIC! But do take action!

Why take action? I mean, after all, this is just a rumor at this point right? No one has stepped forward with evidence to prove this is real…

This is true, but don’t expect a large corporation to come out and admit they have been compromised. And you certainly won’t see anyone stepping forward and saying there is a problem publicly until they have a patch, or the exploit gets publicly posted.

Here’s what you should do to reduce your exposure to this if you manage a server that runs SSH:

  • Upgrade to the latest version of SSH available from your distribution.
  • Block SSH access from the Internet. If you must  access your servers remotely, create a filter to only allow your trusted IP addresses to connect via SSH.
  • Keep an eye on your /tmp and /var/tmp directories for strange files.
  • Watch for strange traffic, or even spikes in traffic, as well as increased system loads.
  • Look for storage space availability changes, large increases in file counts / sizes.

I’ve been seeing posts that recommend building and installing OpenSSH from the latest sources, but until we have more concrete evidence as to the total reach (if any) of this exploit, I’d probably pass on that fix. It is a viable course of action, but nobody knows at this point  if  the latest version isn’t exploitable as well. I would stay away from 3rd party patches that are not provided by your packager or the OpenSSH team as well. It would be a real shame to download a patch that actually introduces an exploit rather then fixing one.

If this turns out that all the rumors are true, your actions now may protect you from a long and expensive recovery. If it turns out this whole thing is a hoax, so what! You were prepared, you didn’t go overboard, and you used common sense to protect your server(s).

— Stu


Leave a Reply

You must be logged in to post a comment.