Michael Rash, Security Researcher

OpenSSH Vulnerability Rumor

Protect OpenSSH with fwknop UPDATE: 08/07/09 So, Defcon 17 has come and gone, and I have not heard anything credible to indicate there is a new vulnerability in OpenSSH. That said, I still run all of my SSH daemons behind SPA/fwknop. My original post appears below.

There are rumors of a new vulnerability in OpenSSH that may affect several versions previous to the current OpenSSH-5.2 release. IF these rumors are true - and there is a claim that details will be provided in time for the upcoming Black Hat and Defcon conferences three weeks from now - then it may be a good idea to deploy either a port knocking or SPA solution to protect SSH daemons. Although solid proof has yet to be released, it is a good bet that if there really is a remotely exploitable vulnerability, then it will have nothing to do with brute force password guessing.

Although log parsers that wrap thresholds around failed login attempts can be useful, what I worry about are vulnerabilities where password guessing is completely unnecessary for successful compromises. This is where SPA comes in because it makes a service essentially impossible to identify via scans, and so when an attacker (who may be armed with a 0-day exploit) goes looking for SSH servers to attack, your server will not be listed. There have been remote exploits against OpenSSH before that allow arbitrary code execution, and password guessing was nowhere in sight. It is only a matter of time before the next one is found (hopefully by the whitehats first) in OpenSSH or any other SSH implementation that you are running.

In the meantime, perhaps the Metasploit framework will come up with an exploit before Black Hat. Or, perhaps this will always stay as just a rumor. Either way, there is little harm in protecting your SSH daemon behind SPA and a default-drop firewall policy.