Black Hat A funny thing happened to security researchers at attack surface management company runZero when they were digging into the xz backdoor earlier this year: They found a whole bunch of vulnerabilities stemming from poorly secured or implemented SSH services.

The discovery, which runZero director of security research Rob King said was "pure serendipity," began after he and runZero founder HD Moore started investigating the mysterious, almost certainly pseudonymous, individual believed to be responsible for the xz backdoor in certain SSH server deployments: Jia Tan. 

"We were poking the [SSH] protocol in ways it isn't usually poked," King told The Register. "We never found Jia Tan, but we did find tons of long-tail issues in SSH." 

Not in the SSH protocol, mind you, but in a bunch of server-side deployments and implementations of it in devices including wireless access points, routers, firewalls, and other stuff you would hope would be secure, but which apparently don't.

That some equipment out there has remotely accessible security holes is not a surprise; what's interesting here is that this research concerns bungled SSH-secured services. If you were expecting SSH-based access to be inherently secure, guess again.

On wireless access points (WAPs) specifically, "there are about 36,000 connected to the internet that we can get to," King said, "and at least 900 of those are still vulnerable."

Many of the vulnerabilities King and Moore discovered are related to old SSH features that haven't been improved in recent years, leaving potential openings for an attack on secure shell servers. Those include unauthenticated information exposure, unusual implementation of public key authentication, default exposure to brute force attacks, and other problems. 

"We didn't discover any specific vulnerabilities in mainline OpenSSH or Dropbear," King said, citing two of the most popular SSH client-servers as an example. "It's more that we found vulnerabilities in products that were using them because they weren't necessarily using them correctly."

In one particularly serious case, King cited an issue they found involving Git servers and their use of SSH that can lead to remote code execution and gaining arbitrary access to source code. "I had a lot of fun with that one," King told us. 

Oh, SSHit - this is serious, isn't it?

King and Moore's Black Hat talk today about their findings goes into additional detail on the pervasive nature of vulnerabilities in poor SSH implementations and usage, and their existence in lots of devices, but suffice it to say this is one issue you'll want to check your devices against.

As is often the case when these sorts of discoveries are made, runZero has released a tool, dubbed SSHamble, that can be used to test SSH implementations for vulnerabilities that have generally gone unnoticed due to the fact that no one thinks to look for them.

"You don't find what you don't look for," King told us. 

Aside from one of the issues he discovered (CVE-2024-41956), King was hesitant to go into specifics about what's vulnerable and where they might be found - understandable, given how wide-reaching the issue could be and how much damage it could do. 

Thankfully, he's not aware of anyone exploiting these SSH-based vulnerabilities in the wild, and several of the issues have been patched, but haven't yet been publicly disclosed. Keep an eye out for them! We are. ®

https://www.theregister.com//2024/08/07/vulnerable_ssh_implementations_are_everywhere/