Contact Us

What are the Most Common SSH Vulnerabilities?

What are the SSH vulnerabilities that my organization should prepare for in 2024?
21 Dec 2023

A Brief History of SSH and Attacks

Did you know that the Secure Shell (SSH) protocol was created in 1995? Yeah, sure was! In fact, a researcher from the University of Helsinki invented the protocol as a direct result of witnessing a password-sniffing attack 1st hand! The attack involved capturing passwords transmitted over the network by users of the university’s systems. This incident highlighted the vulnerabilities in transmitting unencrypted passwords and data over the network, and to address this, Ylönen developed the first version of SSH to ensure secure method of logging into another computer over a network. SSH quickly became popular for its ability to provide secure encrypted communications between two untrusted hosts over an insecure network.

But let’s think about this…anything that was created in ‘95 (technologically speaking, of course) is highly susceptible to compromise, if not only out of sheer age. Hackers and other bad actors have had literal decades to “crack the key” (pun fully intended). Don’t get that joke? Admittedly, not my best material, but consider this…

During the authentication process, SSH keys often establish direct, privileged or root access to a variety of critical systems, effectively turning these cryptographic assets into privileged credentials. SSH keys are granted the same access as passwords, but when most people think about securing their privileged credentials, they forget about SSH keys. As a result, these keys can easily fall into the wrong hands and, instead of protecting our most important assets, they become “virtual skeleton keys.”

Here are a few examples of SSH related attacks and breaches over the years…

T-Mobile (2021-Forever?)

Our friends over at T-Mobile have been going through it for a while now. In 2021, hackers were able to steal the personal information (INCLUDING THE SOCIAL SECURITY NUMBERS) of more than 54 million customers in a ransomware attack. Hackers got API access and proved their SSH connection via screenshot. T-Mobile said at the time that they were committed to “a substantial multi-year investment” to boost its cybersecurity following the 2021 hack, claiming it has “made substantial progress to date.” Yeah, right. …it just happened again.

RSA Security Breach (2011)

In this breach from quite some time ago, attackers compromised RSA’s SecurID system. While the exact method of initial entry was not officially disclosed, reports suggested that the breach could have involved SSH key mismanagement, among other potential vulnerabilities.

Operation Aurora (2009-2010)

This was a series of cyber-attacks conducted by advanced persistent threat (APT) actors against Google and several other companies. The attackers used a combination of techniques, and while SSH was not the primary attack vector, insecure SSH keys were identified as one of the potential weaknesses that could have been exploited.

GitLab Incident (2017)

GitLab, a web-based DevOps lifecycle tool, experienced a data deletion incident due to an employee’s error. The root cause was not a malicious attack but an accidental removal of data during an SSH session. This incident underlines the risks associated with powerful SSH access in critical environments.

Canadian Government Breach (2014)

The Canadian government experienced a breach where the attacker gained unauthorized access to the National Research Council’s network. The method of intrusion was not explicitly stated, but reports around the incident pointed to compromised SSH keys as a potential vector.

University of Maryland Breach (2014)

The University of Maryland reported a data breach that exposed personal information. While the specific attack vector was not publicly disclosed, subsequent security analyses pointed to SSH as one of the potential pathways for attackers, particularly through stolen or poorly managed SSH keys.

It’s important to not underestimate this problem we’re all facing in today’s effort to secure remote authentication. Keep this in mind…When an attacker gains access to one privileged SSH key, she or he can access every single SSH key stored on that machine. What exactly does this mean? They’re able to “spider” the entire network, gaining access to all your data. Yikes. There’s been research that as little as five unique SSH keys can grant access to an entire enterprise through transitive SSH key trust. When we really think about it, SSH is probably the weakest point in your infrastructure in 2024.

All things considered, here are the top 4 things we think you should be aware of regarding SSH vulnerabilities:

SSH Key Tracking Troubles – Too Many for Manual Management

In a large organization with over 10,000 servers, managing more than a million SSH keys can be an overwhelming challenge, often bordering on the impractical. How on Earth do so many keys get created? Unlike passwords or certificates, SSH Keys can be created (or duplicated) by users without any central control or oversight. Over time, as these keys accumulate, it becomes increasingly difficult for an organization to keep track of them. For instance, SSH keys may not be properly managed when development servers are moved to production, especially if the original development credentials aren’t removed, or when an employee leaves the company without their keys being deleted. The potential risk here is significant: unmonitored SSH keys could grant attackers sustained, privileged access to a company’s network. If such a key, which isn’t removed, falls into the wrong hands, it could serve as a permanent access point to the network, allowing attackers to masquerade as the legitimate key owner. …remember my key pun from before? No? …moving on.

Key Sharing is a Real Problem!

For practical reasons, it’s common to see SSH keys being shared or replicated among a specific group of employees, servers, or other infrastructure elements. Because of this practice of SSH key replication, a surprisingly small number of unique keys, sometimes as few as 5 (yikes!), can provide access to all the systems across a company. While this method might simplify tasks for IT departments in the short run, it ironically eases the task for attackers over a longer period. This complexity makes it challenging to remove a single key without disrupting a whole bunch of other SSH connections that rely on the same key. Moreover, the practice of sharing SSH keys poses additional risks by diminishing the ability to track individual actions and verify the authenticity of transactions, compromising key aspects of security like auditability and nonrepudiation.

Static SSH Keys STINK!

Managing the rotation of over a million SSH keys is a daunting task for anybody, even the most seasoned Engineers. Because of this, many IT and security professionals avoid frequently updating and redistributing these keys. The reluctance to update often stems from the fear of overlooking a critical system or employee, which could range from a minor inconvenience to a significant, organization-wide disruption. As a result, many enterprises end up with a large number of unchanged, or static SSH keys. This situation creates an obvious vulnerability. If attackers manage to acquire one of these static keys, they can use it to navigate through the enterprise’s network undetected, potentially gaining ongoing, unauthorized access to your most sensitive information and assets. Not ideal.

SSH Authentication Simplified – EZSSH

While SSH is certainly a cornerstone of secure authentication, its management and security practices are often chock-full of challenges. That’s why we built EZSSH, making passwordless SSH authentication available (and affordable) for everyone! From the overwhelming task of managing a large volume of keys, to the risks posed by static or embedded keys, SSH environments can inadvertently open doors to security threats. It’s essential for organizations to actively consider the state of their SSH key infrastructure and its implications on overall security. Given the complexity and potential risks associated with SSH key management, seeking further information and expert guidance is highly advisable. Whether it’s reassessing your existing protocols or exploring new security strategies, consulting with an SSH authentication expert can provide invaluable insights and help fortify your defenses against sophisticated cyber threats. Don’t hesitate to make this a priority; the security and integrity of your network may depend on it. Check out how EZSSH works today!

You Might Also Want to Read