14

According to the Internet Storm Center, there seems to be a SSH zero-day exploit out there.

There is some proof of concept code in here and some reference:

This seems to be a serious issue, so every Linux/Unix system administrator should be careful.

How do we protect ourselves if this issue is not patched on time? Or how do you handle zero-day exploits in general?

*I will post my suggestion in the replies.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
sucuri
  • 2,817
  • 1
  • 22
  • 22
  • How real is this? A little googletrolling turned up http://seclists.org/fulldisclosure/2009/Jul/0028.html as the most original source of this rumor. Anyone have independent verification of this? – chris Jul 07 '09 at 19:21
  • Lots of good comments on Hacker News about this issue: http://news.ycombinator.com/item?id=692036 – sucuri Jul 07 '09 at 23:43

9 Answers9

11

My suggestion is to block SSH access on the firewall to everyone else besides your ip. On iptables:

/sbin/iptables -A INPUT --source <yourip> -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
sucuri
  • 2,817
  • 1
  • 22
  • 22
7

Comment from Damien Miller (OpenSSH developer): http://lwn.net/Articles/340483/

In particular, I spent some time analysing a packet trace that he provided, but it seems to consist of simple brute-force attacks.

So, I'm not pursuaded that an 0day exists at all. The only evidence so far are some anonymous rumours and unverifiable intrusion transcripts.

x-way
  • 216
  • 2
  • 4
5

According so the SANS post, this exploit does not work against current versions of SSH, and thus isn't really a 0day. Patch your servers, and you should be fine.

Dentrasi
  • 3,672
  • 23
  • 19
  • 2
    technically it is a 0-day exploit (not published and unknown) but that only works on older versions of SSH. However, the default version on RHEL, Fedora are vulnerable (according to the second post). So, it is a big issue if there is no patch from your distribution (unless you use ssh from source which is not common)... – sucuri Jul 07 '09 at 18:01
  • 1
    They are speculating that based on the attack logs. No one knows for sure... Even the latest version might be vulnerable – sucuri Jul 07 '09 at 20:57
3

Complain to your vendors

That way everybody gets the newer version.

Brad Gilbert
  • 2,473
  • 2
  • 21
  • 19
3

I don't run ssh on port 22. Since I often login from different machines, I don't like preventing access via iptables.

This is good protection against zero-day attacks - which surely will go after the default configuration. It's less effective against someone who is trying to compromise just my server. A port scan will show which port I'm running ssh on, but a script attacking random SSH ports will skip over my hosts.

To change your port, simply add/modify the Port in your /etc/ssh/sshd_config file.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
brianegge
  • 1,054
  • 2
  • 14
  • 23
  • Running SSH on a non-standard port does seem to reduce the amount of brute-force attacks it is subjected to, and will probably protect you from most worms. It's not a defence against someone manually scanning things though, and a worm may in the future just port scan every port looking for ssh (which is easy, just time-consuming) – MarkR Jul 08 '09 at 07:22
  • @MarkR: It may not stop a determined 'cracker/kiddie/hacker' but it will keeps the bots at bay until a fix is released. That is most important imho. – Andrioid Jul 09 '09 at 21:52
3

FYI, the original source of the story: http://romeo.copyandpaste.info/txt/ssanz-pwned.txt

There are also two similar stories (hacking astalavista.com and another site): romeo.copyandpaste.info/txt/astalavista.txt
romeo.copyandpaste.info/txt/nowayout.txt

It seems like someone has an agenda: romeo.copyandpaste.info/ ("Keep 0days private")

x-way
  • 216
  • 2
  • 4
  • Agreed. The group behind the original logs that started this has a mission statement to mess with "the security industry" - and what better way to do that than getting everyone in an uproar about "omg! openssh 0day?! how do i find it/stop it/hack with it?" – cji Jul 08 '09 at 20:18
  • It wouldn't be the first time that such rumours and hype have turned out to be false either. – Dan Carley Jul 08 '09 at 20:43
2

I would firewall and wait. My gut instinct is one of two things:

A> Hoax. By the little and miss-information given so far, it is either this..

or...

B> This a "smoke and deception" attempt, to cause concern over 4.3. Why? What if you, some hacker organisation, find a really cool zero-day exploit in sshd 5.2.

Too bad only cutting edge releases (Fedora) incorporate this version. No substantial entities use this in production. Plenty use RHEL/CentOS. Big targets. It's well known RHEL / CentOS backport all of their security fixes to retain some sort of basic version control. The teams behind this are not to be sneezed at. RHEL has posted (I read, would have to dig up the link) that they have exhausted all attempts to find any flaw in 4.3. Words to no be taken lightly.

So, back to idea. A hacker decide to somehow cause a stir about 4.3, causing mass hysteria to UG to 5.2p1. I ask: how many of you have already?

To create some "proof" for missdirection, all "said group" would have to do now is take over some previously compromised system (WHMCS? Previous SSH?), create some logs with some half-truths (attack-ee verified "something" happened, yet some things unverifiable by target) hoping someone would "bite". All it takes is one larger entity to do something drastic (...HostGator...) to make it a bit more serious, amidst the growing anxed and confusion.

Many large entities may backport, but some may just upgrade. Those that upgrade, now open to the real zero-day attack with no disclosure as of yet.

I've seen stranger things happen. Like, a bunch of celebrities dying all in a row...

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
1

I compile SSH to use tcprules, and have a small number of allow rules, denying all others.

This also ensures that password attempts are very nearly eliminated, and that when I am sent reports about breakin attempts, I can take them seriously.

Ernie
  • 5,324
  • 6
  • 30
  • 37
0

Switch to Telnet? :)

Joking aside, if you have your firewall properly configured it is already only allowing SSH access to a few hosts. So your are safe.

A quick fix might be to install SSH from the source ( downloading it from openssh.org ), instead of using old versions that are present on the latest Linux distributions.

sucuri
  • 2,817
  • 1
  • 22
  • 22
  • Kerberized telnet is actually reasonably safe. The nice thing about kerberos is you can centrally revoke a key if you want to, unlike ssh where you have to visit each host and remove a key from each authorized_keys file. – chris Jul 07 '09 at 20:23