A Brief Analysis SSH on the Web

A very interesting and in some ways telling analysis on the current state of 16,532,281 SSH configurations on the internet.

Out of all the IPv4 addresses we found:

  • 9,423,225 are affected by the CVE-2015-5600 – “The kbdintnextdevice function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.”

  • 1,530,566 are affected by the CVE-2013-4421 – “The buf_decompress function in packet.c in Dropbear SSH Server before 2013.59 allows remote attackers to cause a denial of service (memory consumption) via a compressed packet that has a large size when it is decompressed.”

  • 83,357 are affected by the CVE-2015-6565 – “sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY devices, which allows local users to cause a denial of service (terminal disruption) or possibly have unspecified other impact by writing to a device, as demonstrated by writing an escape sequence.”

Source: SSH – A brief analysis of the internet

Continue Reading