Home »The CyberArk Blog »Four SSH Vulnerabilities You Should Not Ignore
February 23, 2018John Walsh
The Secure Shell (SSH) protocol was created in 1995 by a researcher from the University of Helsinki after a password-sniffing attack. SSH is the tool of choice for system admins and is used throughout traditional and virtual datacenter environments to enable secure remote access to Unix, Linux and sometimes Windows systems. You can think of the SSH key, which enables this remote access, as a “Swiss Army Knife” for IT teams in that it helps administrators and developers authenticate to systems, build authentication into systems and applications and encrypt the resulting traffic between its users and systems.
During the authentication process, these SSH keys often establish direct, privileged or root access to a variety of critical systems, effectively turning these cryptographic assets into privileged credentials. SSH keys are granted the same access as passwords, but when most people think about securing their privileged credentials, they forget about SSH keys. As a result, these keys can easily fall into the wrong hands and, instead of protecting access to important assets, these keys can become “virtual skeleton keys.” To make matters worse, when an attacker gains access to one privileged SSH key, she or he can access every SSH key stored on that machine and spider the entire company network, often gaining access to all company data. As few as five to 20 unique SSH keys can grant access to an entire enterprise through transitive SSH key trust, providing attackers with privileged access to the organization’s most sensitive systems and data.
Four SSH vulnerabilities you should not ignore:
- SSH Key Tracking Troubles. It’s not uncommon for a typical large enterprise with 10,000+ servers to have more than one million SSH keys – making it incredibly difficult, if not impossible, to find and manage each key. Organizations typically accumulate large numbers of SSH keys because end users can create new SSH keys (credentials) or even duplicate them without oversight, unlike certificates or passwords. Once a large number of SSH keys are built up over time, an organization could, for example, easily lose track of these credentials when development servers are migrated into production environments (assuming the development environment credentials are not scrubbed) or when employees leave the company and their keys are not changed. The result? SSH keys left unaccounted for can provide attackers with long-term privileged access to corporate resources. If attackers gain access to a key that is never revoked or rotated, the attackers could have a permanent network entry point and impersonate the user that the SSH key originally belonged to.
- When it Comes to SSH Keys, Sharing Isn’t Caring. For the sake of efficiency, SSH keys are often shared or replicated across a common group of employees or servers and infrastructure components. As noted above, as a result of SSH key duplication, as few as five to 20 unique keys can grant access to all machines throughout an enterprise. This approach may make IT teams’ jobs easier in the short-term, but it also makes attackers’ lives easier in the long-term. SSH key duplication creates complicated, many-to-many private public key mappings that significantly reduce security because it is difficult to rotate and revoke a single key without breaking untold other SSH key relationships that share the same key fingerprint. SSH key sharing is also dangerous because it reduces auditability and nonrepudiation.
- Static SSH Keys, Because “Ain’t Nobody Got Time for Rotation!” It’s easy to see how rotating one million plus SSH keys would be a logistical nightmare. Many IT administrators and security professionals rarely change and re-distribute keys for fear that a critical component or employee may be forgotten (which could mean anything from a simple inconvenience for a single employee to a major company-wide system outage). These factors typically result in a surge of static SSH keys, opening the door for attackers to compromise an unchanged key, use it to move laterally through the enterprise and gain permanent, unauthorized access to sensitive data and assets.
- Embedded SSH Keys – The Ones No One Wants to Mess With. SSH keys are frequently embedded within applications or scripts. Administrators are often fearful of changing them as they do not understand the code the keys are embedded in or are strongly discouraged from rotating them because of the level of coordination required to prevent system outages. As a result, static SSH keys embedded in applications, code and scripts can lead to persistent backdoors for attackers.
SSH keys can present a tremendous opportunity for hackers to gain privileged access to networks, stay connected, impersonate legitimate users, hide their activity with encryption and move freely. To learn about SSH key challenges and best practices for mitigating associated risks while improving your overall security posture, visit our website. And to learn more about our comprehensive secrets management tool to help secure SSH keys, credentials and other secrets used by applications and machines, check out this blog post.
Editor’s Note: This article has been updated. It was originally published April, 2016.
Previous Article
How Robotic Process Automation Can Put You at Risk
Robotic Process Automation (RPA) is a powerful, emerging technology and a hot topic of conversation. Despit...
Next Article
Malware, Mistakes and Meaningful Measures to Protect Critical Infrastructure
Security and industry experts have long advocated for the need to increase the protection of critical infra...
- ‹
- ›
LLMs Gone Wild: AI Without Guardrails
From the moment ChatGPT was released to the public, offensive actors started looking to use this new wealth of knowledge to further nefarious activities. Many of the controls we have become...
Read Blog
CyberArk Recognized as a Leader in 2024 Gartner® Magic Quadrant™ for PAM
Today, we’re exceptionally proud to announce our recognition as a Leader in the “2024 Gartner® Magic Quadrant™ for Privileged Access Management (PAM)”1 for the sixth time in a row. CyberArk was...
Read Blog
How Overreliance on EDR is Failing Healthcare Providers
Ransomware attacks have a profound impact on healthcare organizations, extending well beyond financial losses and the disrupted sleep of staff and shareholders. A University of Minnesota School of...
Read Blog
Applying a ‘Three-Box Solution’ to Identity Security Strategies
Physical and network barriers that once separated corporate environments from the outside world no longer exist. In this new technological age defined by hybrid, multi-cloud and SaaS, identities...
Read Blog
The Rise of the Machines and the Growing AI Identity Attack Surface
In 1968, a killer supercomputer named HAL 9000 gripped imaginations in the sci-fi thriller “2001: A Space Odyssey.” The dark side of artificial intelligence (AI) was intriguing, entertaining and...
Read Blog
The Human Factor in a Tech-Driven World: Insights from the CrowdStrike Outage
AI and Deep Fake Technology v. The Human Element The idea that people are the weakest link has been a constant topic of discussion in cybersecurity conversations for years, and this may have been...
Read Blog
Zero Standing Privileges: The Essentials
In December, I’ll have been with CyberArk for seven years, and at a similar point, I’ll have spent two years leading product marketing for cloud security at the company. In my short tenure with...
Read Blog
CIO POV: CrowdStrike Incident Offers 3 Digital Resilience Lessons
On July 19, 2024, organizations around the world began to experience the “blue screen of death” in what would soon be considered one of the largest IT outages in history. Early rumors of a mass...
Read Blog
Navigating Cloud Security: A Shared Responsibility
Each July, my family and I take a road trip from Kentucky back to my hometown in northwestern Pennsylvania to spend time on Lake Erie. As tradition dictates, we stop along I-71 for coffee at...
Read Blog
5 Strategies for Setting the Right Cybersecurity KPIs
Cybersecurity key performance indicators (KPIs) measure the efficacy of an organization’s cybersecurity program. In a rapidly changing threat landscape characterized by new identities,...
Read Blog
Mission Possible: Securing Developer Access, CI/CD and Code (With Love)
Okay, so you’re a security leader at your enterprise – congratulations! It’s a big, challenging role, as you know too well. You or a colleague are likely responsible for securing the cloud and...
Read Blog
CIO POV: Rethinking Data Security Post-Snowflake Customer Attacks
Watching the recent Snowflake customer attacks unfold felt a bit like rewatching a horror movie with predictable attack sequences and missed opportunities to run to safety. But this time, the...
Read Blog
What ‘Passwordless’ Really Means for Privileged Access Management
Privileged access management (PAM) programs aim to secure the highest-risk access in an organization, including using privileged credentials like passwords, SSH keys and application secrets. So,...
Read Blog
Why Implementing Identity Security Doesn’t Have to Be Complicated
Every organization is different, with its own unique needs, challenges and goals. That means that IT solutions, and especially IT security, must be complex tools that are highly configurable and...
Read Blog
Serving Secure Access: Inside the Privileged Access Ice Cream Parlor
Imagine standing in your favorite ice cream parlor, gazing at myriad flavors chilling behind the counter. The choices are tantalizing, from traditional vanilla and chocolate to a swirl of the two....
Read Blog
Identity Security: The Keystone of Trust
A few weeks ago, my wife asked me why stopping threat actors from impacting our lives is so difficult. In this digital age, the necessity to connect online brings inherent exposure to...
Read Blog
Cloud Migration Simplified: SaaS Secrets and PAM Strategy
In the era of rapid digital transformation, organizations are prioritizing cloud transformation projects to enhance their operational agility, scalability and cost efficiency. However, this shift...
Read Blog
Financial Highwire: The Critical Role of Identity Security in Finance
In the highwire act of the financial services sector, identity security serves as the essential safety net, meticulously engineered to intercept any missteps before they precipitate a fall. Just...
Read Blog
CIO POV: Building Resilience in a Complex Threat Landscape
As a CIO, I often wish for a world where the threat landscape is less expansive and complicated than it is today. Unfortunately, the reality is quite different. This month, I find myself...
Read Blog
Securing a Lifeline: Why Identity Security is Paramount in Healthcare
In the intricate healthcare ecosystem, cybersecurity is akin to the human immune system – a vital defense that safeguards the body from external and internal threats. Healthcare cybersecurity is...
Read Blog