Home / vulnerabilitiesPDF  

Vulnerability_Advisory_SSH.txt

Posted on 18 November 2008
Source : packetstormsecurity.org Link

 

CPNI Vulnerability Advisory SSH

Plaintext Recovery Attack Against SSH

Version Information
-------------------
Advisory Reference CPNI-957037
Release Date 14/11/08
Last Revision 17/11/08
Version Number 2.0 - Changes to Impact and Summary sections. Version History added. Vendor details added
Version History

Acknowledgement
---------------

This issue was reported by Martin Albrecht, Kenny Paterson and Gaven Watson
from the Information Security Group at Royal Holloway, University of London.

What is affected?
-----------------
The attack was verified against the following product version running on Debian GNU/Linux:

- OpenSSH 4.7p1

Other versions are also affected. Other implementations of the SSH
protocol may also be affected.

Impact
------

If exploited, this attack can potentially allow an attacker to
recover up to 32 bits of plaintext from an arbitrary block of
ciphertext from a connection secured using the SSH protocol in
the standard configuration. If OpenSSH is used in the standard
configuration, then the attacker's success probability for
recovering 32 bits of plaintext is 2^{-18}. A variant of the
attack against OpenSSH in the standard configuration can verifiably recover 14
bits of plaintext with probability 2^{-14}. The success probability
of the attack for other implementations of SSH is not known.

Severity
--------

The severity is considered to be potentially HIGH due to the
32 bits of plaintext that can be recovered. However, the
likelihood of a successful attack is considered LOW.


Summary
-------

Secure Shell or SSH is a network protocol that allows data to be
exchanged using a secure channel between two networked devices. A
design flaw in the SSH specification allows an attacker with control
over the network to recover up to 32 bits of plaintext from an
SSH-protected connection in the standard configuration. The success
probability in recovering 32 plaintext bits is 2^{-18} when attacking
the OpenSSH implementation of the SSH RFCs. A variant of the attack
against the OpenSSH implementation verifiably recovers 14 plaintext bits with
probability 2^{-14}. The recovered bits come from an arbitrary,
attacker-selected block of ciphertext. The success probabilities for
other implementations are unknown (but are potentially much higher).

Details
-------

The attack works by analysing the behaviour of the SSH connection
when handling certain types of errors.

The attack was tested against the OpenSSH implementation of the SSH
RFCs.

We expect any RFC-compliant SSH implementation to be vulnerable
to some form of the attack.

The attacks lead to the tear down of the SSH connection, meaning that
they cannot directly be iterated to increase the success probability.
However, the SSH architectural RFC (RFC 4251) states that the SSH
connection should be re-established in the event of errors. So, if
SSH were used to protect a fixed plaintext across multiple connections,
and connections were automatically re-established in compliance with RFC
4251, then the success probability could be increased.

Solution
--------

The most straightforward solution is to use CTR mode instead
of CBC mode, since this renders SSH resistant to the attack. An RFC
already exists to standardise counter mode for use in SSH (RFC 4344)
and AES in counter mode is supported by OpenSSH. A switch to AES in counter
mode could most easily be enforced by limiting which encryption
algorithms are offered during the ciphersuite negotiation that takes
place as part of the SSH key exchange (see RFC 4253, Section 7.1).


Vendor Information
------------------
Buffalo not vulnerable

SSH Communications Security has released the following advisory on its website.
http://www.ssh.com/company/news/article/953/


Credits
-------

CPNI would like to thank Martin Albrecht, Kenny Paterson and
Gaven Watson from the Information Security Group at
Royal Holloway, University of London for reporting these issues.

Please visit http://www.isg.rhul.ac.uk for details about the
Information Security Group at Royal Holloway


Contact Information
-------------------
Centre for the Protection of National Infrastructure (CPNI).
Email: csirtuk@cpni.gsi.gov.uk

For sensitve information the CSIRTUK PGP key is available from:
http://www.cpni.gov.uk/key.aspx


What is CPNI?
--------------
For further information regarding the Centre for the Protection of
National Infrastructure, please visit http://www.cpni.gov.uk.

Reference to any specific commercial product, process, or service by
trade name, trademark manufacturer, or otherwise, does not constitute
or imply its endorsement, recommendation, or favouring by CPNI. The
views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.

Neither shall CPNI accept responsibility for any errors or omissions
contained within this advisory. In particular, they shall not be
liable for any loss or damage whatsoever, arising from or in
connection with the usage of information contained within this notice.

© 2008 Crown Copyright

 

TOP