Dangerous security flaw likely just a hoax

Security analysts see no evidence of what is alleged to be a zero-day vulnerability in OpenSSH

A claim of a software vulnerability in a program used to connect securely to servers across the Internet is likely a hoax, according to an analyst with the SANS Internet Storm Center.

The program, called OpenSSH (Secure Shell), is installed on tens of millions of servers made by vendors such as Red Hat, Hewlett-Packard, Apple and IBM. It is used by administrators to make encrypted connections with other computers and do tasks such as remotely updating files. OpenSSH is the open-source version, and there are commercial versions of the program.

Earlier this week, SANS received an anonymous e-mail claiming of a zero-day vulnerability in OpenSSH, which means a flaw in the software is already being exploited as it becomes public. It's the most dangerous type of software vulnerability since it means there's no fix for it yet and the bad guys know about it.

A true zero-day vulnerability in OpenSSH could be devastating for the Internet, allowing hackers to have carte blanche access to servers and PCs until a workaround or a patch is readied.

"That's why I think people are actually creating quite a bit of a panic," said Bojan Zdrnja, a SANS analyst and senior information security consultant at Infigo, a security and penetration testing company in Zagreb, Croatia. "People should not panic right now. Nothing at this time points that there is an exploit being used in the wild."

The evidence of a true zero-day vulnerability in OpenSSH is weak, Zdrnja said. So far, analysts haven't seen a working exploit, despite worries that a group called Anti-Sec may have found a zero-day that allowed them to control a Web server.

Details on the hack were posted on Full Disclosure, which is an unmoderated forum for security information.

When pressed for more details, a person claiming to be part of Anti-Sec wrote an e-mail to IDG News Service saying "I'm not allowed to actually discuss the exploit (or whether or not it exists)," which was signed "Anonymous."

Zdrnja said the same group compromised another server recently, but it appeared to be a brute-force attack against OpenSSH. A brute-force attack is where a hacker tries many combinations of authentication credentials in order to get access to a server. If an administrator is using is using simple log-ins and passwords, it makes a server more vulnerable to a brute-force attack, Zdrnja said.

Both of the compromised servers were run by the same person. "I suppose what we are dealing with here are two hackers in a war between themselves," Zdrnja said.

But there are other factors that indicate a zero-day for OpenSSH doesn't exist. If the zero-day existed, hackers would probably be more likely to use it against a more high-profile server than the most recent one that was compromised, Zdrnja said.

One of OpenSSH's developers, Damien Miller, also threw cold water on the possibility of a zero-day. Miller wrote on an OpenSSH forum on Wednesday that he exchanged e-mails with an alleged victim of the zero-day, but the attacks appeared to be "simple brute-force."

"So, I'm not persuaded that a zero-day exists at all," Miller wrote. "The only evidence so far are some anonymous rumors and unverifiable intrusion transcripts."

There also seems to be some confusion between the alleged zero-day and a different vulnerability in OpenSSH, Zdrnja said. That vulnerability, which is as of yet unpatched, could allow an attacker to recover up to 32 bits of plain text from an arbitrary block of ciphertext from a connection secured using the SSH protocol in the standard configuration, according to an advisory from the U.K.'s Center for the Protection of National Infrastructure (CPNI).

The severity of the vulnerability is considered high, but the chance of successful exploitation is low, according to CPNI. Zdrnja said administrators can implement stronger authentication mechanisms in OpenSSH using public and private keys to guard against a successful attack. In an advisory, OpenSSH also stated that the possibility of a successful attack was low.

Join the PC World newsletter!

Error: Please check your email address.

Tags hoaxexploits and vulnerabilitiessecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?