Web hosting provider Linode jeopardized the security of its customers’ virtual machines, potentially allowing attackers to hijack the SSH connections initiated by customer system administrators, according to IT watchdog site, The Register.
Linode promotes “High performance SSD Linux servers for all of your infrastructure needs.” Linode’s client list includes numerous, high-profile, cloud-based businesses, many of whom store sensitive customer information on Linode’s servers.
Nodes that were installed with an image of Linode’s Ubuntu 15.10 between November 10, 2015, and February 4, 2016 all use the same SSH server key. Usually, a unique key is generated during installation of a Linux distro, but that doesn’t appear to have happened for months in this case. As a result, an attacker could use the common server key to set up a man-in-the-middle attack using a malicious server that masquerades as the customer’s vulnerable virtual machine. If successful, the hacker could quietly intercept login credentials, files, commands, and other data sent by the unknowing administrator and, ultimately, hijack the machine.
The incident is not uncommon and has tripped up many technically savvy companies, including Cisco in June 2015. The problem is inherent in the design of SSH which puts key generation out on the remote host instead of in a central location. In contrast, a web hosting provider using iTivity can include the iTivity agent in a common disk image without risk. Upon initial start-up, the hosting admin simply assigns the vm to the customer’s sys admin using the iTivity SaaS interface. All keys are stored centrally on the iTivity Cloud Server making a man-in-the-middle attack impossible.