UPDATE–Unix and Linux versions of Tectia SSH server as well as the open source versions of Free FTPD and FreeSSHD for Windows are vulnerable to a critical remote authentication bypass exploit published on the Free Disclosure List.
The exploit, disclosed by the same researcher who reported a slew of MySQL database vulnerabilities, opens a shell without the need for a password. Tectia SSH is a commercial version of SSH, the secure shell protocol used for remote connectivity. FreeSSHD is a free version of a SSH server while freeFTPd is a free FTP server that gives remote users access to files.
Tectia SSH is used at large companies, but is not widely deployed; Shodanhq shows about 500 servers running the software according to King Cope, the researcher who disclosed the zero-day vulnerabilities and exploits. HD Moore, creator of the Metasploit Project and CSO at Rapid7 reported similar numbers to Threatpost after looking into the issue.
“He dropped an exploit where you can log in as root,” Moore said. “There are about 9 million secure shell servers deployed. I see about 660 secure shell servers running Tectia, a pretty small number.”
As of yesterday afternoon, Moore said a Metasploit exploit module was close to ready for the platform.
“Shodanhq.com shows about 500 servers running [Tectia], but that is not representative,” King Cope said in an email to Threatpost. “FreeFTPD and FreeSSHD for Windows are much more deployed over the Internet. My postings include exploits for both.”
King Cope said FreeFTPD can be exploited without supplying a username and password, and FreeSSHD can be exploited without supplying a password. Both exploits will give a full administrator shell, he said.
Samuel Lavitt, senior security architect at SSH Communications Security, said in an advisory that SSH has confirmed in testing that the exploit targets a vulnerability in the SSH USERAUTH CHANGE REQUEST function. SSH Tectia Server 6.0.4 to 6.0.20, 6.1.0 to 6.1.12, 6.2.0 to 6.2.5, and 6.3.0 to 6.3.2 are affected. Client implementations are not vulnerable.
SSH released a patch for vulnerability today. He recommended a workaround, disabling “old style” password authentication on affected versions; keyboard interactive, GSSAPI and public key authentication methods are not vulnerable. Windows and zOS servers are also not vulnerable, he said.
“Effective workaround[s]exists,” Lavitt said. “Updated versions providing a permanent fix to this issue are in testing.”
This article was updated Dec. 5 to include a link to the patch from SSH.