OpenSSH zero day exploit rumours not confirmed
After several days, rumours of a possible zero day exploit for a previously unknown security vulnerability in older versions (4.3) of OpenSSH have not been confirmed. The recently observed intrusions into a number of systems instead appear to be the result of successful brute force attacks. Analysis of an attack on one of the affected servers does suggest a brute force attack, rather than exploitation of a vulnerability and the OpenSSH maintainer and developer Damien Miller does not believe that there is a zero day exploit.
Nonetheless, US web host HostGator was sufficiently alarmed by the rumours to block all SSH access to customer servers as a precautionary measure, regardless of whether authentication was by password or public key. The HostGator support team fanned the flames by confirming the existence of the vulnerability on its customer forum and stating that it was working on a patch.
Speculation was triggered by postings on mailing lists including logs of break-ins into various servers by a group calling itself Anti-Sec, which repeatedly listed a tool by the name of 0pen0wn/openPWN. In mid June, the group cracked several servers, including a server hosting security site astalavista.com and more recently a server management supplier. Anti-Sec reacted to investigations by the operators of Astalavista by breaking into a server owned by one of the people who runs Astalavista (see here for log). From the logs it was clear that the tool was able to break into OpenSSH installations that used version 4.3.
This version is found in CentOS/Red Hat Enterprise Linux (RHEL), for example, and in the latest version of Debian Etch. Although the version number is already several years old – version 5.2 is the latest available version – the Red Hat development team tend to back port patches for older versions, with the result that the software may well still be up-to-date from the security point of view. The Red Hat Security Response Team was also unable to find any vulnerabilities and made an official enquiry on the OpenSSH mailing list, to which Damien Miller responded with his opinion.
In summary, it appears that a previously unknown group has probably targeted and penetrated into websites belonging to unpopular persons or other groups. The published logs led to speculation which, through a process of Chinese whispers and reports from a friend of a friend, ended up as rumours of a dangerous zero day exploit. In other words, much FUD about nothing. Administrators should, nonetheless, keep an eye on their servers since SSH access attackers never sleep.
- Lost+Found: Envy, underground, data loss and Java, a report from The H.