Internet Security Systems Security Alert July 24, 2001 SSH Secure Shell Authentication Bypass Vulnerability Synopsis: SSH Communications Security, Inc. has reported a serious vulnerability in the SSH Secure Shell application that may allow remote attackers to gain access to affected systems without a valid password. SSH is typically used as a secure alternative to "telnet" for terminal communications. This vulnerability may allow remote attackers to compromise even the most heavily "hardened" systems. Description: SSH Communications Security, Inc. has released detailed information describing this vulnerability. SSH is a client-server technology that mimics the functionality of telnet and provides enhanced security features, including strong encryption and support for many forms of authentication. A vulnerability exists in the way the SSH server daemon (sshd) parses locked accounts. Administrators "lock" accounts by deleting the password hash in the Unix password file and replacing it with a "*" character, "!!", or "NP" (meaning No Password). Any account without a valid password hash is considered locked, thereby preventing access with that account. The vulnerable version of SSH parses these characters incorrectly and in some cases will allow a remote attacker access to the system with any password. System administrators routinely lock accounts instead of deleting them as a means to disable the account. These locked accounts may be used to compromise the target system. The threat is compounded because administrative accounts, such as "lp", "gdm", or "adm", are locked by default and may also be used to compromise a vulnerable system. Remote attackers may also take advantage of the banner feature included in SSH to identify vulnerable systems. The SSH daemon reports its version number to the client in the form of a banner. Many tools exist in the wild that scan networks and report SSH version numbers. ISS X-Force suspects that scanning tools will soon be available to automatically scan and compromise machines affected by this vulnerability. This vulnerability is a candidate for integration into a "worm" because the vulnerability is lightweight and relatively easy to exploit. Affected Versions: SSH Secure Shell 3.0.0 for Unix (if password authentication is used) Windows versions are not affected by this vulnerability. Recommendations: Detailed exploit information has been released publicly, and ISS X-Force urges system administrators to upgrade to the latest version of SSH Secure Shell made available by SSH Communications Security, Inc. SSH Communications Security, Inc. has announced a new version of SSH that contains a fix for this vulnerability. ISS X-Force recommends that all SSH Secure Shell 3.0.0 users upgrade to SSH Secure Shell 3.0.1 immediately. The new version is available at the following addresses: http://commerce.ssh.com ftp://ftp.ssh.com/pub/ssh ISS Internet Scanner Vulnerability Assessment customers may use the following Flex Check to detect vulnerable SSH installations. The Flex Check is available at the following URL: https://www.iss.net/cgi-bin/download/customer/download_product.cgi The next X-Press Update for Internet Scanner will include a check for this vulnerability. In addition, a signature for this vulnerability will be available for RealSecure Network Sensor in an upcoming X-Press Update. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2001-0553 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. ______ About Internet Security Systems (ISS) Internet Security Systems is a leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 8,000 customers worldwide including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. telecommunications companies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force [EMAIL PROTECTED] of Internet Security Systems, Inc.s _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
