OpenSSH vulnerability and fake exploit
The vulnerability features are a mix of good news and bad news. The bad news: as of June 1, Qualys estimated that approximately 14 million network-accessible SSH servers were vulnerable. However, a practical attack could be carried out against approximately 700,000 of them. The good news: the vulnerability is not that easy to exploit. The vulnerability is relevant for distributions that use the standard glibc library. A successful attack would require approximately 10,000 connections to the vulnerable server, which, given standard restrictions on the number of simultaneous connections and their duration, would take 6–8 hours. The bad news number two: if the attack is successful, it could give the attacker superuser rights. A real attack was demonstrated only on a 32-bit distribution, while there is no practical exploitation method for 64-bit systems yet. Standard protection measures, such as ASLR, also complicate the potential attack.
The dependency on the glibc library is due to the fact that the sshd server calls a number of functions from it in an asynchronous mode; however, exploiting these functions in this way is unsafe. This creates a so-called “race condition”: if vulnerable code is used at the right time and with certain data written to memory, it leads to the execution of arbitrary code and gaining complete control over the system. Qualys researchers spent a lot of time optimizing the attack, starting with a completely unrealistic scenario, when the result was achieved after a month of continuous requests to the server. In the process, they studied old versions of OpenSSH (pre-2006), which essentially have the same vulnerability. “Winning” this “race condition”, that is, creating the conditions for a successful attack, is difficult, which is why multiple requests to the server are required. Each time, a potential attacker opens a connection to the SSH server, but does not complete the authentication process within 120 seconds, which opens the possibility of executing unsafe code.
The vulnerability was fixed in the OpenSSH 9.8 release and is relevant for many Linux-based distributions, including Debian/Ubuntu, Alpine Linux, Red Hat/Fedora, SUSE Enterprise Linux and others. The vulnerability is also relevant for FreeBSD, but cannot be exploited in OpenBSD, where syslog_r() is called instead of the syslog() function, which is unsafe in the context of asynchronous operation. An interesting development of this story was appearance a fake exploit for this vulnerability. The archive, whose distribution is clearly aimed at security researchers, contains both a publicly available (but non-working) proof-of-concept and a malicious Linux script that downloads additional modules from a command server.
What else happened?
Another big event last week was the release of a collection of (almost) 10 billion leaked passwords. Troy Hunt, a well-known leak specialist, shared the news not impressed: He refers to a previous 2021 leak of the same name containing 8.4 billion records, which included, among other things, “all words from Wikipedia” and “all words from the project’s books” Gutenberg“At that time, the Have I Been Pwned project database contained 14 times fewer records because it stores passwords from real data leaks, rather than a compilation of everything under the sun.
Two news stories describe the same problem: storing sensitive data on a computer in plain text. This time, criticism was directed at application ChatGPT and client Signal for Mac OS. In the first case, encryption of saved correspondence with the chatbot was added, the second “problem” is being discussed for years and, apparently, is not taken into account in the threat model of this messenger.
Cloudflare Service offers to its clients a service for automatically blocking requests from various automated systems, usually collecting information for training AI.
Fresh scientific work demonstrates new methods of attacking branch prediction systems in Intel processors.
