SSHamble: runZero’s Open Source Tool to Secure Your SSH Implementations
Experts at runZero have uncovered numerous vulnerabilities related to poorly secured or improperly implemented SSH services, an unexpected discovery during their investigation of a backdoor in the XZ Utils data compression utility, which was detected in March.
The investigation began when runZero initiated a probe into a mysterious individual, believed to be responsible for embedding the backdoor in SSH servers—a certain Jia Tan. During the analysis of the SSH protocol, the experts identified a multitude of long-standing issues related to server deployments and SSH implementations in various devices, such as wireless access points, routers, and firewalls. The vulnerabilities were not in the SSH protocol itself but in its implementation across different devices.
The primary vulnerabilities included:
- Unauthenticated information disclosure
- Unusual implementation of public key authentication
- Vulnerability to brute-force attacks
These issues are tied to outdated SSH features that have not been improved in recent years, leaving potential avenues for attacks on Secure Shell servers. In one instance, specialists discovered a problem related to Git servers and the use of SSH, which could lead to remote code execution and arbitrary access to source code.
runZero also developed a tool called SSHamble to test SSH implementations for vulnerabilities that typically go unnoticed because no one thinks to look for them.
“Our research uncovered over fifty thousand unauthenticated shells and misconfigurations, posing widespread risk,” said HD Moore. “We developed SSHamble as an open source project to help security professionals identify SSH exposures and misconfigurations and enable vendors to test their appliances and tooling before they ship. runZero’s mission is to enhance security visibility, improve exposure management, and speed up response times. We are excited to offer this free tool in support of these efforts.”
SSHamble is a research tool for SSH implementations that includes:
- Interesting attacks against authentication
- Post-session authentication attacks
- Pre-authentication state transitions
- Authentication timing analysis
- Post-session enumeration
At the Black Hat conference, runZero specialists presented a detailed report on their findings. The research revealed that many devices remain vulnerable due to the improper use of SSH.
