July 24, 2001, 1:55 PM — A flaw in SSH Secure Shell 3.0.0 remote access software for Unix could allow attackers to get full control over servers and workstations running various flavors of Unix, software maker SSH Communications Security Corp. warned.
The problem lies in the software's password authentication. Accounts with passwords that consist of two or fewer characters can be accessed without entering a password at all, SSH said in a statement on its Web site.
Such a short password isn't likely for a regular user account, but is common for several administrative accounts used to manage specific parts of the server. These accounts, which are installed by default when the operating system is installed, have standard login names and passwords and are normally only accessible locally.
"Although these administrative accounts have few privileges, it is fairly easy to move on, become root, and gain full access over the machine," said Janne Saarikko, product manager for Secure Shell at SSH in Finland, in an interview.
Millions of people worldwide use SSH Secure Shell; the software has become the de-facto standard for encrypted terminal connections and secure file transfers, according to SSH. The software is provided free for academic and noncommercial use, which adds to its popularity. SSH qualifies the flaw as "a serious problem" and advises all users of Secure Shell 3.0.0 to immediately upgrade to version 3.0.1.
SSH Secure Shell 3.0.0 for Unix workstations is also flawed. Unauthorized users could access the system if the user has the "sshd2" daemon for remote access running, SSH said.
"The workstation can be used as a limited server, which is quite common," Saarikko said.
Affected systems are various versions of Sun Microsystems Inc.'s Solaris and Hewlett-Packard Co.'s HP-UX as well as various Linux versions from Red Hat Inc., Caldera Systems Inc. and SuSE Linux AG, SSH said.
Version 3.0.0 of Secure Shell has only been on the market since June 21, which mitigates the seriousness of the flaw, according to SSH.
"This version hasn't gone out to many customers," Saarikko said.
Jurrien Wijlhuizen, who manages 10 servers running Debian Linux at the Amsterdam-based Internet services company GUTS Digital Communications BV and uses Secure Shell, agreed.
"The flaw has no consequences for us. We use an older version of Secure Shell, a version that has been around for a while and has a proven track record. The newer version might have more features, but that doesn't weigh up against the security risk," he said.
Wijlhuizen qualified the hole as "a big goof up" by SSH and said that serious damage could be done to vulnerable machines, including deleting the entire system and accessing other systems connected to the Unix box.
SSH Communications Security Corp. in Helsinki can be reached at +358-20-500-7000, or on the Web at http://www.ssh.com/.
