lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <76d0c308-7f9a-52c6-0a8e-7a9dddb6d6e1@sydney.edu.au>
Date: Thu, 10 Aug 2023 06:40:37 +1000
From: Paul Szabo via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] Qualys mis-uses ssh, fails to scan and protect,
 facilitates internal attack

=== Introduction ===================================================

My institution uses Qualys

  www.qualys.com

to scan for vulnerabilities, including on some Debian Linux machines
that I manage. The scanner does some network scans, and also logs in
to each machine to do "authenticated scans".

=== Discovery ======================================================

When I recently updated my machines from Debian11 to Debian12, the
Qualys scanner was no longer able to SSH login, with syslog lines:

  sshd: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

The ssh-rsa algorithm was removed from the default list in Debian12
(has OpenSSH 9.2, up from 8.4 in Debian11), see e.g.

  www.openssh.com/txt/release-8.8
    ... disables RSA signatures using the SHA-1 hash algorithm by
    default. This change has been made as the SHA-1 hash algorithm
    is cryptographically broken ...

I confirmed that Qualys uses (requires) ssh-rsa as public key signing
algorithm: its SSH login to Debian12 suceeds with the SSHD setting
"PubkeyAcceptedAlgorithms +ssh-rsa", and to Debian11 fails with the
opposite "PubkeyAcceptedKeyTypes -ssh-rsa".

=== Issues =========================================================

 - Qualys scanner uses insecure ssh-rsa algorithm for pubkey signing
   in its attempt of SSH login.

 - Modern SSHD servers reject pubkey login with ssh-rsa, so Qualys is
   unable to scan up-to-date Linux e.g. Debian12 or RHEL9.

 - Qualys does not check the list of pubkey signing algorithms
   accepted by SSHD servers, cannot notify about any insecure ones.

=== Vulnerability ==================================================

Any SSHD server that accepts the insecure ssh-rsa algorithm for pubkey
signing is vulnerable. The fact that Qualys had been able to log in to
all Linux machines at my institution, shows that all accept ssh-rsa
and are vulnerable. It is expected that anywhere that Qualys is used,
all Linux machines (except recently updated) are similarly vulnerable.

The vulnerability affects all uses of public key authentication.
Qualys itself facilitates an internal attack, by providing the account
used to do "authenticated scans", forced onto all machines and with
root (sudo) access, with the public key commonly available to any
local admins of any scanned machines. An attack on this account is
both easier and more fruitful; admittedly an attack may be impractical
with currently available computing resources.

=== Fixes needed ===================================================

 - Qualys to reconfigure the scanner to use a secure pubkey signing
   algorithm for its SSH login attempt. This same fix also enables
   Qualys to scan up-to-date Linux e.g. Debian12 or RHEL9.

 - Qualys to check the pubkey signing algorithms accepted by SSHD
   servers, and notify when insecure ones are in use.

 - Administrators of Linux machines to check SSHD settings, ensure
   that ssh-rsa is not accepted. This is needed on all SSHD servers,
   regardless of whether Qualys is used.

=== Comments =======================================================

It is curious how Qualys:
 - uses (requires!) an insecure pubkey signing algorithm, though
   better alternatives have been the norm for decades;
 - did not notice its inability to do authenticated scans on RHEL9
   and similar machines, since over a year ago;
 - checks many similar (similarly impractical) SSHD issues, but does
   not check pubkey signing; and
 - seems to know all about SSH, reporting esoteric issues in its
   internals, but still uses it wrongly.

=== Dedication =====================================================

I dedicate this advisory to Luis Fuentes-Cobas, my one-time professor
of Electromagnetism, who taught me logic, deduction and persistence.
Maybe I missed the class about patience.

=== References =====================================================

www.qualys.com/
www.qualys.com/docs/qualys-authenticated-scanning-unix.pdf
www.openssh.com/txt/release-8.2
www.openssh.com/txt/release-8.8
https://eprint.iacr.org/2020/014.pdf
www.usenix.org/conference/usenixsecurity20/presentation/leurent
https://csrc.nist.gov/news/2006/nist-comments-on-cryptanalytic-attacks-on-sha-1
https://csrc.nist.gov/Projects/hash-functions/nist-policy-on-hash-functions
https://en.wikipedia.org/wiki/SHA-1
www.rfc-editor.org/rfc/rfc4252.html
https://success.qualys.com/support/s/article/000003219
https://success.qualys.com/support/s/article/000006407
https://seclists.org/fulldisclosure/2016/Jan/44
https://seclists.org/oss-sec/2023/q1/75
https://seclists.org/fulldisclosure/2023/Jul/31

=== Timeline =======================================================

24 June 2023  Discovered, notified internally within my institution
 9 July 2023  Qualys contacted via "community" post
16 July 2023  Qualys contacted via security@...lys.com
26 July 2023  CVE requested from bugreport@...lys.com (a CNA partner)

====================================================================


-- 
Paul Szabo       psz@...hs.usyd.edu.au       www.maths.usyd.edu.au/u/psz
School of Mathematics and Statistics   University of Sydney    Australia
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ