CYBEREYE
BY BRIAN ROBINSON
Are we headed for a Heartbleed redux with Secure Shell?
IS THE SECURE SHELL
(SSH) vulnerability going to be this year’s OpenSSL? As with the stock market, it’s a mug’s game to predict the future, but warning flags have been raised in response to reports of prob- lems with major security devices.
It was issues with the OpenSSL version of the Secure Sockets Layer encryption that led to the discovery two years ago of the Heartbleed bug, which many security professionals called one of the scariest things they had seen. It allowed anyone who could get to an infected device
to compromise the private keys used to identify ser- vice providers and encrypt data traffic.
Eventually, hundreds
of thousands of servers around the world were found to be vulnerable to Heartbleed, and even now no one seems to know whether all the holes have been plugged.
In December 2015, Ju- niper Networks said it had found “unauthorized code” in its ScreenOS, the operat- ing system that runs on
its widely used NetScreen firewalls. That code would allow a knowledgeable attacker to gain administra- tive access to NetScreen devices via SSH and Telnet, the company said, and
decrypt virtual private net- work connections. Juniper has since made several fixes to its software to close down the gap.
A recent fix to the Dual_EC random number generator used in the fire- walls has been a long time coming because it report- edly contained a backdoor accessible to the National Security Agency and others.
Now researchers have found suspicious code in Fortinet’s FortiOS firewalls
In other words, it’s po- tentially handing the keys to the kingdom to people who will gratefully accept the gift — and then take you for all you are worth.
NIST specifically men- tions backdoor keys as one of the seven categories of vulnerability in SSH, which is widely used to manage servers, routers and other security devices as well as firewalls. It’s also used to provide privileged access to servers and networks.
tackers inside the system move from server to server and steal credentials along the way; and the always present human error.
The recent firewall rev- elations are by no means the only reported problems with SSH. In the middle of last year, researchers also discovered vulnerabilities with the OpenSSH ver- sion of the protocol, which allowed attackers to get around limits on authenti- cation attempts and launch
NIST specifically mentions backdoor keys as one of the seven categories of vulnerability in Secure Shell.
and say it was also essen- tially an SSH backdoor. Fortinet, however, has downplayed the allegation, saying it was a “manage- ment authentication issue” that was fixed some time ago.
Coincidentally, the National Institute of Standards and Technology recently released new guid- ance on the security of SSH key-based access, which
it said organizations often overlook. That is a bad thing, as NIST also points out, because misuse of SSH keys “could lead to unau- thorized access, often with high privileges.”
However, NIST pointed out, SSH public-key authentication can also
be used to create a back- door by generating a new key pair and adding a
new authorized key to an existing authorized key’s file. That allows someone to get around the access management system and its monitoring and auditing capabilities.
Other vulnerabilities NIST cited include poor SSH implementation; im- properly configured access controls; stolen, leaked, derived and unterminated keys; unintended use of keys; theft of keys as at-
brute-force attacks on targeted servers.
The big problem with those kinds of vulnerabili- ties is not necessarily that they exist. If they are quick- ly noticed and patched, any likely damage is minimized. But the OpenSSL bug went unnoticed for several years, so the door to networks and systems that used
the protocol was open all that time. Likewise, the OpenSSH bug could have been present on versions
of the FreeBSD operating system as far back as 2007.
Heartbleed redux? Not so far, it seems, but the year is young. •
GCN JANUARY/FEBRUARY 2016 • GCN.COM 11