OpenSSH

The main articles are:

• SSH
• Cryptography

OpenSSH is the primary tool for remote SSH login. It encrypts all traffic to prevent listening, interception of the connection and other attacks. In addition, OpenSSH provides a large set of secure tunneling capabilities, several authentication methods, and various configuration options.

2024

A dangerous vulnerability has been discovered in the popular OpenSSH remote access server. FSTEC warns

A rather dangerous vulnerability was discovered in the popular secure remote access tool - the OpenSSH server. FSTEC warns about this. Its name BDU:2024-04914^[1] in the database of threats and vulnerabilities, but in wide circles it received its own name - regreSSHion. This is not the first vulnerability in the cryptographic security tool to receive its own name - in 2014, an error called Heartbleed was discovered in OpenSSL.

𝓲

Qualys

Researchers at Qualys^[2] have discovered that the OpenSSH server process - sshd - can be entered into the race state of signal handlers, which allows you to overwrite memory and execute unauthenticated remote code with superuser privileges (root). The error definitely works on Linux systems based on glibc, but there is no confirmation about Windows and macOS yet. The possibility of an attack is demonstrated on a 32-bit Glibc system with ASLR buffer overflow protection enabled (address space randomization). It took 6-8 hours for a successful laboratory attack to continuously establish connections to the server at the maximum allowable intensity in the sshd configuration.

The vulnerability arose as a result of a regressive change included in the release of OpenSSH 8.5 and leading to a race state in the signal processing code in sshd. That is why it was called regreSSHion. The changes made led to the termination of protection against the old CVE-2006-5051 vulnerability, discovered before OpenSSH 4.4 (2006) and of a theoretical nature. The bug has been fixed in OpenSSH 9.8p1.

Not only in Russia, but also in the world, OpenSSH is one of the most popular components of server software,Gardaí "Luka Safonov, technical director of WAF, clarified for TAdviser. - Using an exploit of this vulnerability is extremely dangerous, this is evidenced by the value of the CVSS hazard level - 8.1.

{{quote 'OpenSSH is a popular service in our country, - confirmed to TAdviser Dmitry Kalinin, head of the department for working with vulnerabilities and incidents of the information security system integrator Bastion. - First of all, this is due to the fact that in addition to servers and workstations, it is widely used in network equipment (routers, routers, firewalls, etc.). There are both the latest versions that were considered safe before the release of this vulnerability, and older ones where there are known vulnerabilities. In this regard, the exploitation of this vulnerability carries very high risks.

The only deterrent may be that the SSH protocol, the implementation of which is OpenSSH, is often an internal protocol. That is, it is used in so-called management networks and in a correctly configured infrastructure from the point of view of security, is not available from the Internet or is available only from certain IP addresses.}}

Qualys shared a detailed scattering of regreSSHion, but does not publish examples of its exploitation so as not to stimulate malicious activity. According to the company around the world, about 700 thousand systems connected to the Internet may be vulnerable to this vulnerability. According to the ZoomEye.hk service, there are almost 4 million OpenSSH servers in Russia. However, how vulnerable they are is not very clear. Qualys has provided compromise indicators with which any owner of an OpenSSH-based server can identify possible attacks.

𝓲

ZoomEye.hk

{{quote "In connection with the identification of this vulnerability, the specialists of the Cyber ​ ​ Threat Counteraction Center Innostage CyberART recommend updating OpenSSH software to version 9.8p1," Albert Antonov, head of the OSINT group of the Cyber ​ ​ Threat Counteraction Center SOC CyberART Innostage, announced to TAdviser his recommendations for OpenSSH owners. - The following actions are possible as temporary compensatory measures: }}

• Set the "LoginGraceTime = 0" parameter in the sshd_config, while disabling the timeout will simplify the initiation of a denial of service when establishing a large number of connections exceeding the limits specified through the "MaxStartups" parameter.
• Restrict SSH access through network controls by implementing a whitelist of IP addresses to minimize the risk of attacks.

FSTEC itself also recommends installing updates as quickly as possible. But if this is impossible for some reason, then the following compensatory measures can be taken:

• to limit the possibility of operation, set the "LoginGraceTime = 0" parameter in the sshd_config;
• Set LoginGraceTime to 0 in/ etc/ssh/sshd_config and restart sshd
• use antivirus software to track attempts to exploit the vulnerability;
• use firewalls to limit remote access.

Built-in protection against password matching attacks

Built-in protection against automated password matching attacks has been added to the OpenSSH codebase, during which bots try to guess the user's password by sorting through various typical combinations. To block such attacks, the PerSourcePenalties parameter sshd_config added to the configuration file, which allows you to determine the blocking threshold that is triggered when a large number of unsuccessful connection attempts from a single IP address. This protection mechanism will be included in the next release of OpenSSH and will be enabled by default in OpenBSD 7.6. This became known on June 7, 2024.

When security is enabled, the sshd process begins to monitor the termination status of child processes, determining when authentication has not passed or when the process has failed due to a failure. The high rate of authentication failures indicates password guessing attempts, and crash may indicate attempts to exploit vulnerabilities in sshd.

The PerSourcePenalties parameter sets the minimum threshold for abnormal events, after exceeding which the IP address for which suspicious activity is recorded will be blocked. Using the PerSourceNetBlockSize parameter, you can optionally define a subnet mask to block the entire subnet to which the problem IP belongs.

To disable blocking for individual subnets, the PerSourcePenaltyExitList parameter is proposed, which may be useful in situations leading to false positives, for example, when an SSH server is accessed from a large network, requests from different users from which come from the same IP due to the use of an address translator or proxy^[3].

2023: OpenSSH 9.2 with Server Authentication Vulnerability Fix

OpenSSH developers have released OpenSSH 9.2 to address a number of shortcomings, including a vulnerability that manifests itself during the authentication stage on the OpenSSH (sshd) server. This became known on February 6, 2023.

The pre-authentication (double-release) vulnerability in OpenSSH 9.1 CVE-2023-25136 occurs in an unprivileged pre-authentication process that undergoes a chroot operation and is additionally isolated on most major platforms.

Chroot - the operation of changing the root directory on Unix-like operating systems. A program running with a modified root directory will only have access to the files contained in this directory.

OpenSSH is an implementation of the Secure Shell Protocol (SSH) with, open source which offers a set of services for encrypted communications an unprotected network in a client-server architecture.

Double-release disadvantages occur when a vulnerable piece of code calls the "free ()" function, which is used to free memory blocks twice, resulting in memory corruption and further failure or arbitrary code execution.

Qualys security researcher Saeed Abbasi said the exposure occurs in a memory block freed twice - "options.kex_algorithms". He also added that the problem leads to "double emancipation in an unprivileged sshd process."

Abassi explained that active exploitation of the vulnerability is unlikely, since the use process is too complicated - modern memory allocation libraries provide protection against double memory release, and the pre-auth process, which has an error, is executed with reduced privileges in an isolated sandbox^[4].

2022

OpenSSH 9.1 release with RequiredRSASize directive

On October 5, 2022, it became known that the release of OpenSSH 9.1, an open implementation of the client and server for working on SSH 2.0 and SFTP protocols, was published. The release is characterized as mainly containing bug fixes, including fixing several potential vulnerabilities caused by memory problems:

• A single-byte overflow in the SSH banner processing code in the ssh-keyscan utility.
• Double call of the free () function in case of an error when calculating hashes for files in the code for creating and checking digital signatures in the ssh-keygen utility.
• Double call to the free () function when handling errors in the ssh-keysign utility.

Major changes:

• The RequiredRSASize directive has been added to ssh and sshd to determine the minimum allowed size of RSA keys. In sshd, smaller keys will be ignored, and in ssh they will end the connection.
• The portable edition of OpenSSH has been translated into the use of SSH keys to certify digitally signed commits and tags in Git.
• The SetEnv directives in the ssh_config and sshd_config configuration files now apply the value from the first mention of the environment variable if it is defined several times in the configuration (before that, the last mention was used).
• When calling the ssh-keygen utility with the flag "-A" (generation of all default host key types), DSA key generation, which has not been used by default for several years, is disabled.
• sftp-server and sftp implement the "users-groups-by-id@openssh.com" extension, which allows the client to query the names of users and groups corresponding to the specified set of digital identifiers (uid and gid). In sftp, this extension is used to display names when displaying the contents of the directory.
• The sftp-server implements the "home-directory" extension to expand paths ~/and ~ user/, alternative to the previously proposed "expand-path@openssh.com" extension for the same purposes (the "home-directory" extension is proposed for standardization and is already supported by some clients).
• ssh-keygen and sshd have added the ability to specify the time in the UTC time zone when determining the validity intervals of certificates and keys, in addition to the system time.
• sftp allows you to specify additional arguments in the "-D" option (for example, "/usr/libexec/sftp-server -el debug3 ").
• ssh-keygen allows the use of the "-U" flag (using ssh-agent) along with "-Y sign" operations to determine that private keys are located in the ssh-agent^[5].

OpenSSH 9.0 release with scp translation to SFTP

On April 8, 2022, it became known that the release of OpenSSH 9.0, an open client and server implementation for working on SSH 2.0 and SFTP protocols, was presented. In this version, the scp utility has been switched by default to using SFTP instead of the outdated SCP/RCP protocol (abbreviations from the English Secure Copy Protocol and Remote Copy Protocol).

Source: techgamingreport.com

SFTP uses more predictable name processing methods and does not use glob pattern processing in file names via shell on the other host side, creating security problems. In particular, when using SCP and RCP, the server decides which files and directories to send to the client, and the client only checks the correctness of the returned object names, which, in the absence of proper checks on the client side, allows the server to transfer other file names that differ from those requested.

The SFTP protocol is devoid of these problems, but does not support the disclosure of special paths such as "~/." To eliminate this difference, starting with OpenSSH 8.7, the SFTP server implementation supports the extension of the "expand-path@openssh.com" protocol to reveal the paths ~/and ~ user/.

When using SFTP, users may also encounter incompatibility caused by the need to double shield special path disclosure characters in SCP and RCP requests in order to prevent their interpretation on the remote side. In SFTP, such shielding is not required and extra quotation marks may result in a data transmission error. At the same time, the OpenSSH developers refused to add an extension to repeat the behavior of scp in this case, since double shielding is considered as a drawback that does not make sense to repeat.

Other changes to the release:

• By default, ssh and sshd include a hybrid key exchange algorithm "sntrup761x25519-sha512@openssh.com" (ECDH/x25519 + NTRU Prime), which is resistant to selection on quantum computers and combined with ECDH/x25519 to block possible problems in NTRU Prime that may surface in the future. In the KexAlgorithms list, which determines the order in which key exchange methods are selected, the mentioned algorithm is now put first and is a higher priority than the ECDH and DH algorithms. Quantum computers have not yet reached the level that allows hacking traditional keys, but the use of hybrid protection will protect users from attacks related to the preservation of intercepted SSH sessions with the expectation that they can be decrypted in the future when the necessary quantum computers appear.
• The sftp-server has added a copy-data extension that allows you to copy data on the server side, without passing it to the client if the source and target files are on the same server.
• The sftp utility has added the command "cp" to initiate the client to copy files on the server side.^[6]

Notes