Experts urge users to upgrade to the latest version

Jul 9, 2009 09:00 GMT  ·  By

Rumors about the existence of an exploit for a yet undisclosed OpenSSH vulnerability are actively circulating on forums, blogs and mailing lists. The little, probable proof that is available suggests that the latest OpenSSH version is not affected.

The problem was first mentioned in a thread on the Webhosting Talk Forums, where someone suggested that a 0-day OpenSSH exploit had been recently used to compromise a pretty large website. Some speculate that the site in question was astalavista.com, a hacking and security community website.

Security researchers from SANS Internet Storm Center (ISC) set off to investigate the claims and found one plausible piece of evidence that might point to the existence of an unknown vulnerability in OpenSSH. It consists of a log showing an attack in progress against a server associated with ssanz.net (Server Systems Administration NZ).

The SSANZ website confirms the hack on its first page. "Unfortunately SSANZ has been hacked by anti-sec group," an announcement informs. "Data has been erased & Backups erased. SSANZ Staff sincerely apologizes for this breach of security," it also reads.

"So far this is the only 'evidence' of an attack. It is against an older version of OpenSSH so if this is the source of the rumor, then it is NOT a problem with the most updated version," Marcus Sachs, director of ISC, writes. "We've received a few emails that lend credibility to the rumor," he adds, however nothing can be confirmed without the actual exploit code.

One interesting e-mail was sent by an anonymous user, who claims to have proof of the exploit, which he can't yet share, suggesting that the vulnerability will be made public before the upcoming Black Hat security conference. Furthermore, he confirms that it does not work on the latest version of OpenSSH.

"You have no reason to believe anything I am telling you here," the user writes. "It would be really great however if you suggested everyone to upgrade OpenSSH to the newest version, on the off chance the rumor is true thought, right? No harm if you are getting bad information in that case," he continues.

The ISC researcher takes up the advice of the anonymous writer and recommends that everyone update to the latest version, just to be on the safe side. "[...] And by all means turn it off if you don't need it (don't uninstall the updated binaries, just turn off the service – that way if it's needed you won't accidentally have an out of date version running.)," he adds.