A Brief Analysis SSH on the Web

A very interesting and in some ways telling analysis on the current state of 16,532,281 SSH configurations on the internet.

Out of all the IPv4 addresses we found:

  • 9,423,225 are affected by the CVE-2015-5600 – “The kbdintnextdevice function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.”

  • 1,530,566 are affected by the CVE-2013-4421 – “The buf_decompress function in packet.c in Dropbear SSH Server before 2013.59 allows remote attackers to cause a denial of service (memory consumption) via a compressed packet that has a large size when it is decompressed.”

  • 83,357 are affected by the CVE-2015-6565 – “sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY devices, which allows local users to cause a denial of service (terminal disruption) or possibly have unspecified other impact by writing to a device, as demonstrated by writing an escape sequence.”

Source: SSH – A brief analysis of the internet

Continue Reading

Google Finally Disabling SSLv3 and RC4

Google has posted about its intention to finally disable SSLv3 and the cipher RC4. This is great news as Google is responsible for an insane level of web traffic and to know that the encryption they use to secure all of those transactions will be greater secured is brilliant!

SSLv3 has been obsolete for over 16 years and is so full of known problems that the IETF has decided that it must no longer be used. RC4 is a 28 year old cipher that has done remarkably well, but is now the subject of multiple attacks at security conferences. The IETF has decided that RC4 also warrants a statement that it too must no longer be used.

Source: Google Online Security Blog: Disabling SSLv3 and RC4

Continue Reading