[KLUG Members] [Fwd: SSH hole allows full control]
Adam Tauno Williams
members@kalamazoolinux.org
02 Aug 2001 07:42:52 -0400
Just thought this one was worthy to note. Of course I've ***NEVER***
heard of or seen anyone use ssh in the manner described in this article
(one or two character passwords) and anyone who did use it that was
deserves everything that may come to them. And I have no idea what these
"several administrative accounts" are, neither my Linux or AIX boxes came
with anything that could be described as such. nobody, etc..., all have
a shell of /bin/false, good luck logging.....
---------------------------------------------------------
Hole Found in SSH Remote Access Software for Unix
By Joris Evers
A flaw in SSH Secure Shell 3.0.0 remote access software for Unix could
allow attackers to get full control over servers and workstations
running various flavors of Unix, software maker SSH Communications
Security Corp. warned.
The problem lies in the software's password authentication. Accounts
with passwords that consist of two or fewer characters can be accessed
without entering a password at all, SSH said in a statement on its Web
site.
Such a short password isn't likely for a regular user account, but is
common for several administrative accounts used to manage specific
parts of the server. These accounts, which are installed by default
when the operating system is installed, have standard login names and
passwords and are normally only accessible locally.
"Although these administrative accounts have few privileges, it is
fairly easy to move on, become root, and gain full access over the
machine," said Janne Saarikko, product manager for Secure Shell at SSH
in Finland, in an interview.
Millions of people worldwide use SSH Secure Shell; the software has
become the de-facto standard for encrypted terminal connections and
secure file transfers, according to SSH. The software is provided free
for academic and noncommercial use, which adds to its popularity. SSH
qualifies the flaw as "a serious problem" and advises all users of
Secure Shell 3.0.0 to immediately upgrade to version 3.0.1.
SSH Secure Shell 3.0.0 for Unix workstations is also flawed.
Unauthorized users could access the system if the user has the "sshd2"
daemon for remote access running, SSH said.
"The workstation can be used as a limited server, which is quite
common," Saarikko said.
Affected systems are various versions of Sun Microsystems Inc.'s
Solaris and Hewlett-Packard Co.'s HP-UX as well as various Linux
versions from Red Hat Inc., Caldera Systems Inc. and SuSE Linux AG, SSH
said.
Version 3.0.0 of Secure Shell has only been on the market since June
21, which mitigates the seriousness of the flaw, according to SSH.
"This version hasn't gone out to many customers," Saarikko said.
Jurrien Wijlhuizen, who manages 10 servers running Debian Linux at the
Amsterdam-based Internet services company GUTS Digital Communications
BV and uses Secure Shell, agreed.
"The flaw has no consequences for us. We use an older version of Secure
Shell, a version that has been around for a while and has a proven
track record. The newer version might have more features, but that
doesn't weigh up against the security risk," he said.
Wijlhuizen qualified the hole as "a big goof up" by SSH and said that
serious damage could be done to vulnerable machines, including deleting
the entire system and accessing other systems connected to the Unix box.