430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

OpenSSH Flaw exposes servers to brute-force attacks

A new critical vulnerability was discovered in the widely used OpenSSH software, hackers exploiting this flaw can run brute-force attacks against servers. A new critical vulnerability was discovered in the widely used OpenSSH software, hackers exploiting this flaw can run brute-force attacks against server performing thousands of authentication requests remotely.  The vulnerability affects the latest version […]

OpenSSH server

Verschluesselte Kommunikation mit OpenSSH

A new critical vulnerability was discovered in the widely used OpenSSH software, hackers exploiting this flaw can run brute-force attacks against servers.

A new critical vulnerability was discovered in the widely used OpenSSH software, hackers exploiting this flaw can run brute-force attacks against server performing thousands of authentication requests remotely.  The vulnerability affects the latest version of OpenSSH (Version 6.9), the MITRE coded the flaw as CVE-2015-5600.

OpenSSH is a software used to encrypt data traffic from clients to server, avoiding eavesdropping, and other attacks. It also provides several authentication methods and secure tunneling capabilities.

Generally, the OpenSSH software allows 3 to 6 Password login attempts before closing a connection, but the flaw discovered by the experts allows hacker to bypass this limitation and run brute-force attacks. This is the case of OpenSSH servers having keyboard-interactive authentication enabled, which can be exploited to carry out the brute force attack on OpenSSH protocol. Unfortunately, the keyboard-interactive authentication is enabled by default on many systems.

encryption

The vulnerability has been discovered by a researcher using the pseudonymous KingCope which explained that many systems are affected by the flaw including FreeBSD.

“OpenSSH has a default value of six authentication tries before it will close the connection (the ssh client allows only three password entries per default).With this vulnerability an attacker is able to request as many password prompts limited by the “login graced time” setting, that is set to two minutes by default.Especially FreeBSD systems are affected by the vulnerability because they have keyboard-interactive authentication enabled by default.” explained KingCope in a blog post.

In order to exploit the bug, an attacker can execute the following command:

ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` targethost

The above command allows up to 10000 password entries within two minutes limited by the login grace time setting.

“The crucial part is that if the attacker requests 10000 keyboard-interactive devices openssh will gracefully execute the request and will be inside a loop to accept passwords until the specified devices are exceeded.” continues the expert.

Two minutes of ‘grace period’ and thousands of login attempts are enough to successfully run a brute-force attack by using a common dictionary.
The next release of the OpenSSH software, OpenSSH 7.0, will fix the problem including a patch. The new release is expected to be released in a few weeks.

In the meantime, below a few suggestion to mitigate the risks

  • Limit access to SSH by using a firewall.
  • Disable password authentication for the root account.
  • Use intrusion detection systems (IDS) to mitigate brute force attacks.
  • Use strong passwords.
  • Use a cryptographic  key pair that is at least 2,048 Bits in length.
  • Reduce the grace period to 20 or 30 seconds.
  • Use applications to controls and limit failed login attempts.

Pierluigi Paganini

(Security Affairs – openssh, hacking)