Linux Systems Being Hit By SSH-Key Attacks

[HardOCP News]

According to InformationWeek, Linux PCs are being attacked by a technique that uses stolen SSH keys to gain access to computers then, using a local kernel exploit, a rootkit is installed in order to steal other SSH keys and send them back to the attacker.

"Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that does not use the now-disabled /dev/kmem device," explains computer security group Packet Storm on its Web site. "Features include file hiding, process hiding, socket hiding, a tty sniffer, a tty connectback-backdoor, and auto injection on boot."

 

[Traze]

Sounds nasty. ><

 

[eeyrjmr]

According to US-CERT, the attack appears to rely on stolen SSH keys to gain access to a system. It then uses a local kernel exploit to gain root access,

So basically only sloppy sysadmins are at risk, esp debian-based ones (who aint updated their ssh keys) and those who are using a kernel < 2.6.23 when the vmslice bug was found

Still bad, but as long as a sysadmin is doing his job there should be no problems

 

[ianken]

So basically only sloppy sysadmins are at risk, esp debian-based ones (who aint updated their ssh keys) and those who are using a kernel < 2.6.23 when the vmslice bug was found

Still bad, but as long as a sysadmin is doing his job there should be no problems

Security should never rely on the admin doing their job, particularly if the Linux folks want to move out of the hobbiest demographic and become an OS widly used by Joe Schmoe.

 

[Cyrilix]

I don't think Joe Schmoe typically cares about security -- more about usability and familiarity of interface.

 

[Asgard_Thor]

I don't think Joe Schmoe typically cares about security -- more about usability and familiarity of interface.

agreed

 

[Xethril]

Interesting exploit.

 

[BBA]

Which is why you can never be too confident in your security...even if you did everything right. In other words, never brag about being secure, someone will prove you wrong eventually.

 

[ianken]

I don't think Joe Schmoe typically cares about security -- more about usability and familiarity of interface.

Agreed and that's why the developers of the OS need to assume that Joe (or Mr Lazy Admin) exist and do what can be done to mitigate that.

 

[tdg]

Agreed and that's why the developers of the OS need to assume that Joe (or Mr Lazy Admin) exist and do what can be done to mitigate that.

And what can the developers of the OS do to prevent a a bug in a third party application from allowing access? You seem to be confusing Linux and Debian's OpenSSL random number generator flaw as being one and the same.

In order for this vulnerability to come to fruition, there is a long string of specific versions of software and a whole slew of factors that must be in place. In short, this vulnerability will probably have little impact.

 

[Enduring_Warrior]

I don't think Joe Schmoe typically cares about security -- more about usability and familiarity of interface.

Now allow me to debate but tha'ts an Elitist point of view. If you abandon your ego and actually ask John Doe if he cared about security once you tell him what can happen to his information if he doesn't you can be pretty sure his survivak insctincs will take care of the rest.

 

[mryerse]

Security should never rely on the admin doing their job, particularly if the Linux folks want to move out of the hobbiest demographic and become an OS widly used by Joe Schmoe.

No, but it should rely on good auditing practices to catch any holes in software and lazy admins.

 

[pxc]

Gosh, how can someone be hypercritical of Windows security and apologize when a much worse exploit hits Debian? Oh, I see it was already posted above.

 

[burnin8r]

safe...

 

[dyzophoria]

maybe this is response to what Linus was mentioning awhile before about the crazyiness in security,lol

 

[pfunkman]

Now allow me to debate but tha'ts an Elitist point of view. If you abandon your ego and actually ask John Doe if he cared about security once you tell him what can happen to his information if he doesn't you can be pretty sure his survivak insctincs will take care of the rest.

Even still caring is one thing but caring enough to take a proactive stance is completely different.

maybe this is response to what Linus was mentioning awhile before about the crazyiness in security,lol

Im surprised anyone listens to that windbag anymore.

 

[Cyrilix]

Now allow me to debate but tha'ts an Elitist point of view. If you abandon your ego and actually ask John Doe if he cared about security once you tell him what can happen to his information if he doesn't you can be pretty sure his survivak insctincs will take care of the rest.

This has nothing to do with my ego. I guess if you told him "I will hack your computer in 2 minutes and steal all your passwords", then he would REALLY care, but that's not exactly the level of risk that we deal with in day-to-day security holes. Realistically though, we're not discussing such a case.

 

[AVT]

I really hope iptables is blocking the port SSH uses on my rig back home..

Especially since I only use VNC anyway...

Which kernel versions have this vulnerability?

 

[kllrnohj]

Security should never rely on the admin doing their job, particularly if the Linux folks want to move out of the hobbiest demographic and become an OS widly used by Joe Schmoe.

Joe Schmoe also isn't going to be running an SSH server. In this case, security should rely on the admin doing their job since it requires setting up a remote access server (which day to day desktop systems like Ubuntu aren't going to have by default) to work. This requires already knowing a system's SSH key in the first place. So it would be like someone has the remote login password for a Windows box, and uses that to get more remote login passwords. The "flaw" inherently comes from the initial leak of the key. Also, SSH servers that require a user password don't suffer from this flaw.

So essentially for this to work you have to have an SSH server set up where the only authentication is a shared key (which is not the default setting for openssh-server)

 

[Frobozz]

Stolen login credentials leads to unauthorized access of computer resources. Who knew?

 

[kllrnohj]

I really hope iptables is blocking the port SSH uses on my rig back home..

Especially since I only use VNC anyway...

Which kernel versions have this vulnerability?

If you require a login for your SSH (username/password), then you don't suffer from the flaw to begin with.

 

[brucedeluxe169]

Joe Schmoe also isn't going to be running an SSH server. In this case, security should rely on the admin doing their job since it requires setting up a remote access server (which day to day desktop systems like Ubuntu aren't going to have by default) to work. This requires already knowing a system's SSH key in the first place. So it would be like someone has the remote login password for a Windows box, and uses that to get more remote login passwords. The "flaw" inherently comes from the initial leak of the key. Also, SSH servers that require a user password don't suffer from this flaw.

So essentially for this to work you have to have an SSH server set up where the only authentication is a shared key (which is not the default setting for openssh-server)

qft... this is a non-issue, and anyone that even remotely thinks it is just shows how utterly ignorant they really are....

 

[lord_farfig]

I really hope iptables is blocking the port SSH uses on my rig back home..

Especially since I only use VNC anyway...

Which kernel versions have this vulnerability?

SSH/OpenSSH run on port 22, if you have a router you would have to open it up.

I believe 2.6.1x to 2.6.23 were affected. As burnin8r posted 2.6.24 he's not susceptible to the 'vmsplice' issue as described... but I'm sure there are other holes

(p.s. burnin8r what skin is that? Looks neat-o)

Though the biggest thing, no one has picked up on, is it requires a "local kernel exploit" so the attacker has to physically be at the machine.

 

[eeyrjmr]

SSH/OpenSSH run on port 22, if you have a router you would have to open it up.

I believe 2.6.1x to 2.6.23 were affected. As burnin8r posted 2.6.24 he's not susceptible to the 'vmsplice' issue as described... but I'm sure there are other holes

(p.s. burnin8r what skin is that? Looks neat-o)

Though the biggest thing, no one has picked up on, is it requires a "local kernel exploit" so the attacker has to physically be at the machine.

yup
This really isn't as bad as it is being spun, ALL the exploits were patched very quickly (vmslice was 30min after it was made public) and distro's pushed new kernels out shortly after that. Debian fixed their fuckup with SSL and informed ppl to regen keys (ffs ubuntu has a popup that says its gonna regen keys!)

Alot of things have to be in place for this to occur

1) person has to have compromised keys (well duur )
2) person resets users passwd so they can then login to the physical machine
3) person log's in at the pysical machine
4) the kernel in-use MUST be one vulnerable to vmslice (there were hotfixes for already running machines)
5) They must hope using said exploit DOESNT just crash the machine (majority of the time it does)

THEN and only then can they have full control over the machine


I mean that is alot to happen and if someone has physical access to the machine there is already a path to compromising it


When I heard abt vmslice I was a bit wtf but within 15min I had a new kernel on all my machines and was protected.
Since I don't use debian (or deriv) machines for keys I wasn't effected by the BS that debian dev's did


this isn't like the msblaster worm from a few years back

 

[kllrnohj]

Though the biggest thing, no one has picked up on, is it requires a "local kernel exploit" so the attacker has to physically be at the machine.

No they don't, that is where SSH comes in. SSH is what allows the local exploit to be run remotely.

2) person resets users passwd so they can then login to the physical machine
3) person log's in at the pysical machine

Actually, no. As stated above, physical access isn't needed. Also, if there is a username/password needed to log in, the SSH vulnerability doesn't work and thus the exploit can't be executed.

 

[Jabroni31169]

I don't think Joe Schmoe typically cares about security -- more about usability and familiarity of interface.

Which is why windows is so popular

 

[Azhar]

roffles Linux zealots aplenty.

Hey Linus, where's your masturbating monkeys now?

 

[AVT]

SSH/OpenSSH run on port 22, if you have a router you would have to open it up.

I believe 2.6.1x to 2.6.23 were affected. As burnin8r posted 2.6.24 he's not susceptible to the 'vmsplice' issue as described... but I'm sure there are other holes

(p.s. burnin8r what skin is that? Looks neat-o)

Though the biggest thing, no one has picked up on, is it requires a "local kernel exploit" so the attacker has to physically be at the machine.

My Linux box basically is my router - two NIC's and a WAP.

Anyway - whew - port 22 should be firewalled.

 

[kllrnohj]

roffles Linux zealots aplenty.

Hey Linus, where's your masturbating monkeys now?

You do realize that the actual flaw in the kernel was already patched and fixed BEFORE the exploit, right? That it was fixed in less than an hour after it was discovered?

 

[Azhar]

You do realize that the actual flaw in the kernel was already patched and fixed BEFORE the exploit, right? That it was fixed in less than an hour after it was discovered?

Spare me. The flaw existed once upon a time just as Windows flaws are found and fixed but you guys are all over it anyways. Besides, as one of you guys said, there are distros out there that uses older kernels and apps.

 

[pfunkman]

Spare me. The flaw existed once upon a time just as Windows flaws are found and fixed but you guys are all over it anyways. Besides, as one of you guys said, there are distros out there that uses older kernels and apps.

What is your point? Because people nitpick microsofts security you decide to take up arms and defend them in a thread about linux?

Believe me they dont need your help.

 

[tdg]

Spare me. The flaw existed once upon a time just as Windows flaws are found and fixed but you guys are all over it anyways. Besides, as one of you guys said, there are distros out there that uses older kernels and apps.

Difference here is the software was patched and was available within hours, users didn't have to wait until the next Patch Tuesday (at the earliest) to get the fix.

 

[Azhar]

What is your point? Because people nitpick microsofts security you decide to take up arms and defend them in a thread about linux?

Believe me they dont need your help.

Who's up in arms? I'm merely laughing at you guys. I don't give a rats ass which operating system is secured or has flaws. They all do. It's just hilarious how you guys along with Mac users go at any length to save face. That's all.

 

[pfunkman]

Who's up in arms? I'm merely laughing at you guys. I don't give a rats ass which operating system is secured or has flaws. They all do. It's just hilarious how you guys along with Mac users go at any length to save face. That's all.

So your just trolling then...

Go firgure, i guess for some reason there may have been something intelligent behind your comments but i guess not.

 

[Azhar]

So your just trolling then...

Go firgure, i guess for some reason there may have been something intelligent behind your comments but i guess not.

says the guy who's constantly looking for a fight on a daily basis.

 

[pfunkman]

says the guy who's constantly looking for a fight on a daily basis.

What do you call wandering into a thread about linux to talk shit about linux?

I dont look for any fights.

 

[kllrnohj]

Who's up in arms? I'm merely laughing at you guys. I don't give a rats ass which operating system is secured or has flaws. They all do. It's just hilarious how you guys along with Mac users go at any length to save face. That's all.

Laughing at us, why? The flaw that allowed this exploit to work, the real source of the hole that let unauthorized access, is that some idiot basically gave out his login information. I'm not sure about you, but I don't go around handing out SSH logins to random people on the internet So even though I have an SSH server running a kernel thats vulnerable to the escalation hack, it is impossible for the program talked about in the article to affect me, because the only person who knows the login to the box is me.

No one is trying to "save face" here - stupid users be stupid users, thats all there is here.

 

[Serpico]

Proof that security is a risk on any platform, be it Windows or UNIX based. Just because malware is less of a risk on Linux or OS X doesn't mean that the risk isn't there, or that it is completely locked down just because it is UNIX based.

 

[AVT]

Well, got back home. Looks like 22 was open, but my system wasn't vulnerable to the exploit (or at least it doesn't seem to have the rootkit) Well, as I only use VNC anyway, it's now closed. One less security risk.

 

[Serpico]

What do you call wandering into a thread about linux to talk shit about linux?

I dont look for any fights.

Its not the first time he's trolled up a thread. Not that what he does is unique on FP or the entire frigging internet for that matter.