Every version of the popular Openssh program — a critical, widely used tool for secure communications — share a critical vulnerability that was present in the program’s initial 1999 release.
The defect was published last week by researchers from Qualys, who were releasing a patch that corrected it (the patch was intended to fix a different problem, and Qualys’s researchers inadvertently and simultaneously discovered and fixed this very old bug).
Operating system vendors are likely to update their Openssh code quickly, but the real problem is that many embedded devices that have been orphaned, are indifferently maintained by their vendors, or whose owners never patch them are likely to remain vulnerable to exploitation via the new bug forever.
This bug allows a remote attacker to guess the usernames registered on an OpenSSH server. Since OpenSSH is used with a bunch of technologies ranging from cloud hosting servers to mandate IoT equipment, billions of devices are affected.As researchers explain, the attack scenario relies on an attacker trying to authenticate on an OpenSSH endpoint via a malformed authentication request (for example, via a truncated packet).
A vulnerable OpenSSH server would react in two very different ways when this happens. If the username included in the malformed authentication request does not exist, the server responds with authentication failure reply. If the user does exist, the server closes the connection without a reply.
This small behavioral detail allows an attacker to guess valid usernames registered on a SSH server. Knowing the exact username may not pose an immediate danger, but it exposes that username to brute-force or dictionary attacks that can also guess its password.
Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades [Catalin Cimpanu/Bleeping Computer]