Blog | G5 Cyber Security

OpenSSH 5.1 J-PAKE Bypass

G5 Cyber Security

TL;DR

CVE-2010-4478 affects OpenSSH versions before 5.3, allowing an attacker to potentially bypass authentication by exploiting a flaw in the J-PAKE key exchange parameter validation. This guide details how to test for and mitigate this vulnerability.

Understanding the Vulnerability

J-PAKE (Java Password Authenticated Key Exchange) was included in OpenSSH as an alternative authentication method. CVE-2010-4478 arises because OpenSSH 5.1 and earlier versions do not properly validate the parameters exchanged during the J-PAKE negotiation. An attacker can send crafted parameters, leading to a successful authentication even without knowing the correct password.

Testing for Vulnerability

  1. Check OpenSSH Version: First, determine your OpenSSH version. 
    ssh -V

    If the output shows a version less than 5.3, you are potentially vulnerable.

  2. Attempt J-PAKE Authentication (if enabled): This is harder to do directly without knowing if J-PAKE is configured on the server. You’ll need to try connecting with a client that supports it and monitor server logs.

    If you have access to a client capable of initiating J-PAKE, attempt a connection. Look for error messages or unusual behaviour in the server’s authentication logs (typically /var/log/auth.log on Debian/Ubuntu systems, or /var/log/secure on Red Hat/CentOS).

Mitigation Steps

  1. Upgrade OpenSSH: The most effective solution is to upgrade OpenSSH to version 5.3 or later.
    • Debian/Ubuntu: 
      sudo apt update
      sudo apt upgrade openssh-server
    • Red Hat/CentOS: 
      sudo yum update openssh-server
  2. Disable J-PAKE Authentication: If upgrading is not immediately possible, disable J-PAKE authentication in the OpenSSH configuration file.
    • Edit /etc/ssh/sshd_config as root.
    • Find the line containing PasswordAuthentication yes and ensure that PubkeyAuthentication yes is also present (this is important).
    • Add or modify the following lines: 
      KexAlgorithms !diffie-hellman-group1,diffie-hellman-group14,diffie-hellman-group16,diffie-hellman-group18
      PasswordAuthentication no
    • Restart the SSH service: 
      sudo systemctl restart sshd
  3. Firewall Rules: While not a direct mitigation, restricting access to your SSH port (port 22 by default) can reduce the attack surface.

Verification

  1. Re-check OpenSSH Version: Confirm that the upgrade was successful by running ssh -V again.
  2. Test Authentication: Attempt to connect using J-PAKE (if you have a client) after disabling it in the configuration file. You should no longer be able to authenticate successfully.
Exit mobile version