Photo credit: bleeping computer
In a prior blog, SSHhhh, Hackers at Work Here, we discussed some of the most common attacks do not require much sophistication, just errors in configuration.
As a counter point, here we discuss an attack against the same protocol that is an example of a fairly sophisticated attack recently disclosed. The attack exploits a set of vulnerabilities in OpenSSH (identified as CVE-2023-48795, CVE-2023-46445 and CVE-2023-46446) to downgrade the security of OpenSSH.
As mentioned, the attack requires a fair degree of sophistication, but the impact is an attacker observing traffic through the secure shell protocol, can downgrade the security making the protocol no longer secure.
Researchers from the Ruhr University Bochum discovered the vulnerability and prototyped an attack proof of concept. You can start with this article to delve deeper.
Currently over 12 million instances of this OpenSSH vulnerability were found on Internet scans. Because the attack requires an adversary to be able to observe the protocol traffic and then inject the attack, the risk of this attack is low for most firms. However, firms that are targeted by adversaries should pay attention to this vulnerability and look to mitigate the vulnerability.
As with the less sophisticated OpenSSH attack, the first question you should ask is whether you need OpenSSH at all, We see OpenSSH running on web servers often without the company's awareness. If you can close the port that is the best mitigation. Otherwise make sure the configuration is secure and the software is appropriately patched.