Originally published at: https://boingboing.net/2018/08/22/eternal-defects.html
…
All versions of Openssh share a
criticallow to medium risk vulnerability, including embedded code that will never be updated.
Fixed it for you. As a security researcher, I have never flagged username enumeration as a high or critical risk item. Bad, yes. But, “rip all systems from the network and patch them or buy new hardware” as calling something critical implies, this problem is not.
Yeah, the main threat I can think of is if there’s certain users w/ common default PWs in various flavors of *nix… but wouldn’t you be able to know to try those through the OS enumeration of a tool like nmap?
This is why for any production use, you should use key based auth anyhow.
I would guess that the great majority of affected embedded installations have a single, static ssh user (probably called “admin”), in which case this flaw is very nearly moot.
There are situations where knowing a list of usernames would significantly assist in other mischief, or even be compromising in itself. But if a host has a non-trivial set of user accounts, it’s likely to be a sufficiently complex system that it is possible to do the full range of admin stuff, including patching software (though whether that actually happens is another question).
I reckon a significant percentage of those “billions” already have the rather more concerning “heartbleed” bug. That was only four years ago.
Ssh! The baby’s sleeping!
Most of those crummy IoT devices have usernames that can’t be changed and are well-known anyway.
Don’t put password-based-auth devices on the internets. That goes for SSH, your router admin page, whatever. Bots will dictionary attack you all day long.
And the usual Adage for IoT devices applies - go with companies who stand by their products or are at least certified by standards that require significant security (like Apple’s HomeKit). Yes, these cost more, but that’s in part because they have to do more than toss a few COTS parts together, package it and sell it on Amazon as a throwaway.
OpenSSH is a very fine piece of Free Open Source Software, that has made the world a better place. Thank you Dug Song, Markus Friedl, and all the other coders involved!
And of course, like all critically important communications software, it is constantly being attacked and analyzed, and when shortcomings are revealed, they are remediated. At no charge to end users whatsoever, since it’s FOSS.
So anyway, three points to make here:
-
Embedded systems and low cost commercial stuff like routers and light bulbs rarely use OpenSSH, they typically run a lightweight SSH server like Dropbear, since they don’t need most of OpenSSH’s features and are resource-constrained.
-
as @veggiespam already noted, user enumeration is not a critical vulnerability; close to 100% of systems have some kind of known users, anyway, such as a “root” or an “admin” account. It’s a real vulnerability, just not “critical”.
-
Cory’s concern over abandoned devices is real and deserves to be frequently mentioned, but that’s not a problem with OpenSSH, it’s a problem with software distribution and maintenance that impacts all abandonware, and in particular OS kernels.
Until the keys are stolen.
I don’t know how to make this “deserves all the likes” or whatever the cool kids are calling it these days, but it does!!! (Maybe it’s “Needs more likes”? Am I getting close?)
And that same “admin” user also has a password of “admin” or other well known fixed string. Most of the un-update-able devices are so bad on security from the start that having a moderate issue like this is a tiny drop in the ocean. I’ve owned more than one “modern” networking device that only supported telnet as a console login method.
Pfft. On secure systems, the password is “password”. Nobody ever guesses that! (Except uberleet foreign hackers who hate us for our freedoms, of course)
This topic was automatically closed after 5 days. New replies are no longer allowed.