What Is SSH and How Do Hackers Attack It
Admittedly, SSH isn't something the average home user deals with on a daily basis, but nevertheless, it probably pays to know what it is. SSH stands for Secure Socket Shell, and it's a network protocol used by system and website administrators who need to remotely log into a server and execute commands, modify files, or change configuration settings.
Obviously, other protocols give admins the ability to do the same things, and some even provide additional convenience like a graphic user interface (with SSH, you only get a command line). The key with SSH is the first "S" which, as we established already, stands for "Secure".
SSH as a protocol appeared way back in 1995, and its main advantage is that the communication between the sysadmin's client and the server is encrypted. Although some flaws were found in the protocol's first version, SSH-2, the standard that was adopted in 2006, is thought to have no exploitable vulnerabilities.
With that said, establishing an SSH connection involves the traditional username-and-password authentication, and as we all know, this mechanism is susceptible to attacks.
SSH brute-force attacks
You all probably know what a brute-force attack is already. Hackers test a number of username and password combinations until they "guess" the right one and gain access to an account, or, in this case, a server. The biggest problem with a brute-force attack is that often, systems are designed to stop intruders after a preset number of unsuccessful login attempts. And unlike a regular website, with SSH, brute-forcing offline is not an option.
That's why, in an SSH brute-force attack, the mechanism is reversed. Instead of trying thousands of username and password combinations on a single server, the crooks try one username and password combination on thousands of servers. People use weak passwords which makes the attack feasible, and because every server registers just one failed login attempt at most, the hackers don't have to worry about any lockout mechanisms.
It's what's known in the industry as a spray-and-pray attack, meaning that the crooks are hoping that if they hit enough servers, one of them will let them in. It could indeed, be effective, but as you can see, it's not particularly useful if the crooks have set their sights on a particular target. On October 17, security researchers found out that compromising particular servers with the help of SSH is possible. Mind you, there are a few conditions to be met.
A libssh authentication bypass vulnerability
First of all, you shouldn't confuse libssh with SSH. libssh is a library that helps system administrators implement SSH. Peter Winter-Smith, a security researcher working for NCC Group, found a flaw in it that is terrifyingly easy to exploit.
The bug has existed since libssh 0.6 which was released way back in 2014, and it lies with the mechanism that handles messages between the server and the client. Normally, before authentication, the client would send the server a message saying SSH2_MSG_USERAUTH_REQUEST, and the server will request the user's username and password. Winter-Smith found out that if the client sends an SSH2_MSG_USERAUTH_SUCCESS message, the server would simply let the user carry on without asking for login credentials.
In other words, instead of saying "Can I come in?", the client states "I'm already in.", and the server simply agrees.
Indeed, it's a scary bug, and the news that GitHub, the world's biggest code hosting platform, uses libssh, threw some people into a state of panic. It turned out that they had overreacted. In fact, some reports appear to have blown the bug out of proportion. GitHub's team announced that they use a modified version of libssh and that their platform is not affected. According to Peter Winter-Smith himself, the number of vulnerable devices is relatively small. A patch is available, so hopefully, it will be even smaller very soon.
SSH is a solid network protocol, but it's only as secure as system administrators make it. Strong passwords and careful encryption key management is a must. While for the time being, there are no bugs in the protocol itself, the software applications that use it are bound to have vulnerabilities that are yet to be discovered. Quick and efficient handling of those vulnerabilities could mean the difference between keeping your platform safe and exposing it to cybercriminals.