SSH is a widely used encrypted remote management shell for Unix, Linux and BSD platforms. Experts say attackers have been exploiting the vulnerability to gain access to systems illegally for months.
What started as quiet mumblings and rumours turned into screaming warnings yesterday as the security community slowly learned of the threat. Chief hacking officer of US-based eEye Digital Security told ZDNet Australia by phone the vulnerability should be taken very seriously. "It's pretty close to a skeleton key to most networks," he said.
It's not uncommon for vulnerabilities in Unix-style systems to be exploited for months by the underground community, Maiffret said. "It's definitely happened in the past with SSH vulnerabilities ... it's definitely a recurring theme for Unix vulnerabilities."
Security researcher Mark "Simple Nomad" Loveless, who works with BindView Corporation, doesn't doubt an exploit to the vulnerability is "in the wild". "It sounds like someone's got the exploit ... a lot of people are claiming they have it, but it looks like some people actually do," he said during a phone interview.
He says that all versions of OpenSSH running on all distributions of Linux and BSD are affected, excluding those that have patched within the last couple of hours to version 3.7.1. Loveless says there's actually two vulnerabilities in the software. "[Version] 3.7 was released early this morning, and then 3.7.1 was released about a couple of hours ago," he said. "The thing was just the way the two bugs work.... It looks like the first one was probably fixed with 3.7 and the other one was fixed with 3.7.1."
There are, however, suggestions that some mitigating factors may apply. "There are rumours going around that you need to allow remote root SSH login for the exploit to work," he said. "That's the thing, there are all these rumours going around."
Loveless says people should patch to 3.7.1 as soon as they can. "Exploit code will surface within hours," he warned.
CERT has released an advisory, however it was released prior to the release of the 3.7.1 version upgrade. The OpenSSH patch and advisory has been updated. "All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management errors. It is uncertain whether these errors are potentially exploitable, however, we prefer to see bugs fixed proactively," it reads.
"It's not uncommon for vulnerabilities in Unix-style systems to be exploited for months by the underground community, ........ It's definitely happened in the past with SSH vulnerabilities ... it's definitely a recurring theme for Unix vulnerabilities."
Shame on you ZDNet Austrailia for printing unchallenged remarks from these two very biased security 'experts', who are really representatives from two different software house specializing in software products which try to cover security holes in Microsoft NT, IIS and the SQL server products (eEye Digital Security, BindView Corp. ), that slander Linux, BSD and the Open Source communities.
Where are your lead articles about the tide of Windows viruses flooding the internet and infecting millions of unpatched Windows Operating Systems week after week? Or. a story about the 31 unpatched holes in Internet Explorer, some more than three years old,
http://www.PivX.com/larholm/unpatched
with comments by Eric Raymond and Bruce Perens about frustrated Windows users screaming for fixes?
In a classic example of trying to make the exception the rule the 'experts' apparently have the FSF instrusion in mind and imply that the SSH "attackers have been exploiting the vulnerability to gain access to systems illegally for months", an obvious canard.
Thankfully, the last paragraph gives readers a link to sites which demonstrate that the exploit was revealed on 9/16/2003 and the first patch came within HOURS, at 10:02PM that same day!!! The patch for the second part of that hole came today, 9/17/2003.
But, will most readers learn about the bias of the 'experts' or wade through the CERT announcements and the OpenSSH.com patch page to learn the truth, or will they assume the 'experts' are being factually in their emotion-laden accusations and that Linux is a insecure as Windows and takes as long to get its holes patched?
Those that check CERTS will find the opposite to be true. The SSH hole WASN'T previously known by the OpenSource community so they did NOT callously allowed it to be exploited for "months", and there were NO users frustrated that their 'quiet grumblings' fell on deaf ears and so they had to 'scream' to get the exploit patched. That behaviour is the sole response of propriatary code users. CERT reveals that fact, so the ravings of these 'experts' seems nothing more than FUD designed to slow the flood of Windows users moving to the Linux paradigm. While OpenSSH and other OpenSource vendors immediately released patches upon discovery of the exploit, CERT notes that some propriatary vendors allow their users to remain vulnerable until the release of the next 'version', when ever that is.