A simple but highly critical vulnerability recently disclosed in the most widely used OpenSSH software allows attackers to try thousands of password login attempts per connection in a short period.
OpenSSH is the most popular software widely used for secure remote access to Linux-based systems. Generally, the software allows 3 to 6 Password login attempts before closing a connection, but a new vulnerability lets attackers perform thousands of authentication requests remotely.
OpenSSH servers with keyboard-interactive authentication enabled, including FreeBSD Linux, can be exploited to carry out the brute force attack on OpenSSH protocol, a security researcher with online alias KingCope explained in a blog post.
Exploit for the Vulnerability RELEASED
Hackers could widely exploit the vulnerability because the keyboard-interactive authentication is by default enabled on most of the systems.
Researcher has also released a proof-of-concept exploit code, which is just a command, as follows:
ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` targethost
This simple command effectively allows up to 10,000 password attempts within two minutes of login grace time.
"The crucial part is that if the attacker requests 10,000 keyboard-interactive devices OpenSSH will gracefully execute the request and will be inside a loop to accept passwords until the specified devices are exceeded," KingCope said.
However, depending on the connection and the victim's Linux machine, two minutes of 'grace period' and thousands of login attempts are enough to achieve successful login by using dictionary attack with a word-list of most commonly used passwords.
The vulnerability is present in the latest version of OpenSSH, which is Version 6.9.
How to Mitigate the Attack?
Administrators are advised to take following precautions until OpenSSH releases an official patch to address the issue:
- Use a cryptographic key pair that is at least 2,048 Bits in length
- Always Use a Strong Password to protect your Private Key
- Reducing the grace period to 20 or 30 seconds
- Use Fail2Ban or Pam-Shield to limit failed login attempts