X

Updated program opens Unix security hole

A flaw in widely used Unix software could allow attackers to gain control over computers running Solaris, HP-UX and several versions of Linux, the maker of the software warns.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science. Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
See full bio
Stephen Shankland
3 min read
A flaw in widely used Unix software could allow attackers to gain control over computers running Solaris, HP-UX and several versions of Linux, security analysts and the company selling the software warned Monday.

SSH Communications Security, a Finnish company, reported Monday that the latest edition of its SSH Secure Shell software, version 3.0.0, released June 21, can let an attacker gain control over some Unix or Linux computers.

SSH is software designed to secure the text-based user interface--or "shell"--people use to remotely log in to computers and send them commands. SSH checks people's passwords and lets authorized individuals open and use the shell by way of an encrypted communications channel. The encryption prevents outsiders from intercepting the commands sent from computer to computer.

As a result of the vulnerability, though, SSH lets anyone remotely log in to an account that uses a two-character password by simply leaving the password field blank and hitting Enter. A two-character password is not likely for most active users' accounts, but it's common for several administrative accounts for functions such as controlling printers or for accounts that the system administrator has locked to temporarily disable access, said Dan Ingevaldson, leader of Internet Security Systems' X-Force research and development team.

"In certain cases, users could log in to accounts with any password," said Al David, senior director for technical services at SSH. That initial access then could serve as a launching point for a second attack that could give the attacker complete control over the system.

SSH released a patch, version 3.0.1, which can be downloaded from the company's FTP site.

The security hole is a strong risk, Ingevaldson said, though it's ameliorated by the fact that SSH doesn't ship by default with any of the vulnerable operating systems.

"It's a pretty big bug. Secure Shell is a trusted" software tool in very widespread use--though not necessarily SSH's version. "I'm quite positive there are scripting utilities being written or used right now" to scan for the vulnerability and take advantage of it, Ingevaldson said.

Security vulnerabilities, while an ages-old problem for computer administrators, are gaining importance as the Internet grows in popularity, the number of networked computers increases, and companies come to depend on those computers. Most recently, many Windows systems were susceptible to the Code Red worm, which spread so far that it tried to infect every single Internet address more than 20 times on average.

There are some caveats that reduce the severity of the SSH problem, though, chief among them the fact that version 3.0.0 is relatively new.

A hurdle for would-be attackers is that administrative utilities such as the one that controls printers typically can't open a shell for issuing commands to the computer, said Dave Wreski, chief technology officer of Guardian Digital. Those programs interact directly, without need of a user interface.

But attackers still could take control of the system, said Stephanie Thomas, an SSH technical support specialist. "The belief is that even without a shell, this could be exploited," she said.

Chairman Tatu Ylonen founded SSH in 1995 when he launched a software project to replace Unix's "telnet" command to log in to remote computers. SSH's encrypted communications channel shields commands sent in the open, as with telnet.

Early versions of the software were freely available and became the basis of other projects such as OpenSSH, which ships with several versions of Linux.

SSH heard about the problem late Wednesday and began notifying customers Thursday. However, the company said, many people have downloaded the software because it may be used free for academic or other noncommercial uses. In addition, the SSH license permits free use on freely available operating systems such as Linux and FreeBSD.

In addition to the security problem with version 3.0.0, HP-UX computers running SSH version 2.3 or 2.4 are vulnerable if an administrator has created an account with a two-character password--something the operating system wouldn't do on its own.

Versions of Linux that are vulnerable include those from Red Hat, Caldera International, SuSE and Debian, the company and experts said.