runZero published new research on Secure Shell (SSH) exposures and unveiled a corresponding open-source tool, SSHamble. This tool helps security teams validate SSH implementations by testing for uncommon but dangerous misconfigurations and software bugs.
Discovered weaknesses
During their presentation at Black Hat USA 2024, HD Moore and Rob King shared that the research was prompted by the xz-utils backdoor incident and their investigation into “Jia Tan,” the persona used by likely nation-state actors to plant malicious code into the xz-utils compression utility integrated into many Linux distributions.
Activities intended to aid in responding to the incident led runZero’s research team to discover weaknesses across SSH implementations and applications that impact critical network security devices and software. These long-standing issues have remained undiscovered due to the lack of tooling available to exercise the layers of the SSH protocol.
As one of the most common remote administration services, SSH is widespread; it is found in every major operating system, embedded in many applications, and enabled by default in cloud environments. Researchers uncovered new SSH authentication bypass issues, information leaks, and misconfigurations. SSH vulnerabilities were also identified in various products, including a significant regression in OpenSSH for Microsoft Windows.
Additional SSH vulnerabilities were identified in Digi International ICS gateways, Panasonic ethernet switches, Realtek-based ADSL routers, Ruckus wireless access points, common Git-based development tools like Soft Serve and GOGS, and various consumer-focused networking equipment. In some cases, vendors have made patches available.
SSHamble
“Our research uncovered over fifty thousand unauthenticated shells and misconfigurations, posing widespread risk,” said HD Moore. “We developed SSHamble as an open-source project to help security professionals identify SSH exposures and misconfigurations and enable vendors to test their appliances and tooling before they ship. runZero’s mission is to enhance security visibility, improve exposure management, and speed up response times.”
SSHamble simulates potential attack scenarios, including unauthorized remote access due to unexpected state transitions, remote command execution in post-session login implementations, and information leakage through unlimited high-speed authentication requests.
The SSHamble interactive shell provides raw access to SSH requests in the post-session (but pre-execution) environment, allowing for simple testing of environment controls, signal processing, port forwarding, and more.
SSHamble is available for free on GitHub.
Must read: