exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Vulnerability_Advisory_SSH.txt

Vulnerability_Advisory_SSH.txt
Posted Nov 19, 2008
Authored by Centre for the Protection of National Infrastructure (CPNI) | Site cpni.gov.uk

A design flaw in the SSH specification allows an attacker with control over the network to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. The vulnerability has been verified against OpenSSH 4.7p1; other versions may also be susceptible.

tags | advisory
SHA-256 | 8d48ca8b60553c221cb1492df2fd5bc59181cf198fa4fff19a8f69a7c0f813ae

Vulnerability_Advisory_SSH.txt

Change Mirror Download
CPNI Vulnerability Advisory SSH

Plaintext Recovery Attack Against SSH

Version Information
-------------------
Advisory Reference CPNI-957037
Release Date 14/11/08
Last Revision 17/11/08
Version Number 2.0 - Changes to Impact and Summary sections. Version History added. Vendor details added
Version History

Acknowledgement
---------------

This issue was reported by Martin Albrecht, Kenny Paterson and Gaven Watson
from the Information Security Group at Royal Holloway, University of London.

What is affected?
-----------------
The attack was verified against the following product version running on Debian GNU/Linux:

- OpenSSH 4.7p1

Other versions are also affected. Other implementations of the SSH
protocol may also be affected.

Impact
------

If exploited, this attack can potentially allow an attacker to
recover up to 32 bits of plaintext from an arbitrary block of
ciphertext from a connection secured using the SSH protocol in
the standard configuration. If OpenSSH is used in the standard
configuration, then the attacker's success probability for
recovering 32 bits of plaintext is 2^{-18}. A variant of the
attack against OpenSSH in the standard configuration can verifiably recover 14
bits of plaintext with probability 2^{-14}. The success probability
of the attack for other implementations of SSH is not known.

Severity
--------

The severity is considered to be potentially HIGH due to the
32 bits of plaintext that can be recovered. However, the
likelihood of a successful attack is considered LOW.


Summary
-------

Secure Shell or SSH is a network protocol that allows data to be
exchanged using a secure channel between two networked devices. A
design flaw in the SSH specification allows an attacker with control
over the network to recover up to 32 bits of plaintext from an
SSH-protected connection in the standard configuration. The success
probability in recovering 32 plaintext bits is 2^{-18} when attacking
the OpenSSH implementation of the SSH RFCs. A variant of the attack
against the OpenSSH implementation verifiably recovers 14 plaintext bits with
probability 2^{-14}. The recovered bits come from an arbitrary,
attacker-selected block of ciphertext. The success probabilities for
other implementations are unknown (but are potentially much higher).

Details
-------

The attack works by analysing the behaviour of the SSH connection
when handling certain types of errors.

The attack was tested against the OpenSSH implementation of the SSH
RFCs.

We expect any RFC-compliant SSH implementation to be vulnerable
to some form of the attack.

The attacks lead to the tear down of the SSH connection, meaning that
they cannot directly be iterated to increase the success probability.
However, the SSH architectural RFC (RFC 4251) states that the SSH
connection should be re-established in the event of errors. So, if
SSH were used to protect a fixed plaintext across multiple connections,
and connections were automatically re-established in compliance with RFC
4251, then the success probability could be increased.

Solution
--------

The most straightforward solution is to use CTR mode instead
of CBC mode, since this renders SSH resistant to the attack. An RFC
already exists to standardise counter mode for use in SSH (RFC 4344)
and AES in counter mode is supported by OpenSSH. A switch to AES in counter
mode could most easily be enforced by limiting which encryption
algorithms are offered during the ciphersuite negotiation that takes
place as part of the SSH key exchange (see RFC 4253, Section 7.1).


Vendor Information
------------------
Buffalo not vulnerable

SSH Communications Security has released the following advisory on its website.
http://www.ssh.com/company/news/article/953/


Credits
-------

CPNI would like to thank Martin Albrecht, Kenny Paterson and
Gaven Watson from the Information Security Group at
Royal Holloway, University of London for reporting these issues.

Please visit http://www.isg.rhul.ac.uk for details about the
Information Security Group at Royal Holloway


Contact Information
-------------------
Centre for the Protection of National Infrastructure (CPNI).
Email: csirtuk@cpni.gsi.gov.uk

For sensitve information the CSIRTUK PGP key is available from:
http://www.cpni.gov.uk/key.aspx


What is CPNI?
--------------
For further information regarding the Centre for the Protection of
National Infrastructure, please visit http://www.cpni.gov.uk.

Reference to any specific commercial product, process, or service by
trade name, trademark manufacturer, or otherwise, does not constitute
or imply its endorsement, recommendation, or favouring by CPNI. The
views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.

Neither shall CPNI accept responsibility for any errors or omissions
contained within this advisory. In particular, they shall not be
liable for any loss or damage whatsoever, arising from or in
connection with the usage of information contained within this notice.

© 2008 Crown Copyright
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close