Flaw Made Public In OpenSSH Encryption

alimo20 writes "Researchers at the Royal Holloway, University of London have discovered a flaw in Version 4.7 of OpenSSH on Debian/GNU Linux. According to ISG lead professor Kenny Patterson, an attacker has a 2^{-18} (that is, one in 262,144) chance of success. Patterson tells that this is more significant than past discoveries because 'This is a design flaw in OpenSSH. The other vulnerabilities have been more about coding errors.' The vulnerability is possible by a man-in-the-middle intercepting blocks of encrypted material as it passes. The attacker then re-transmits the data back to the server and counts the number of bytes before the server to throws error messages and disconnects the attacker. Using this information, the attacker can work backwards to figure out the first 4 bytes of data before encryption. 'The attack relies on flaws in the RFC (Request for Comments) internet standards that define SSH, said Patterson. ... Patterson said that he did not believe this flaw had been exploited in the wild, and that to deduce a message of appreciable length could take days.'"

Old version = old news

OpenSSH 5.2 was released in February already which has builtin countermeasures against this form of "attack." Next.

Re:Old version = old news

[FunPika]

I think it is all below 5.2 according to http://openssh.com/security.html.

Re:Old version = old news

[againjj]

5.1 does not have the countermeasures. 5.2 does. Upgrade.

Though, while the leaked information is significant, the chance at getting it in tiny, so the risk is small.

Re:Old version = old news

[Hurricane78]

eix-sync && emerge -auDNtv world && echo "Yay :D"

SSH standard

[jgtg32a]

From the article it seems that it is more of a design flaw of SSH and not specifically OpenSSH

And in other news it also appears that the word "chink" is banned in the comments section.

Re:Not much of a threat...

[characterZer0]

Did you read the article?

It indicates that it effects SSH in general, not only one particular implementation.

Original advisory

[againjj]

http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt

Why so much press on this?

[spinkham]

This flaw was published in Nov 2008 with simple configuration fix, and OpenSSH released a default fixed version in March 2009.
Also, this attack gives only 4 bytes of unencrypted output after crashing your session many thousands of times, which is sure to be noticed. If you were repeating the exact same network traffic in millions of SSH sessions, an attacker might get something interesting after weeks of crashing your sessions. It's just one of the lamest exploits I've seen, worth mitigating eventually, but not worth all the press it's getting, especially 6 months after release...
The fix is simple, just use CTR mode encryption instead of CBC, or upgrade to OpenSSH 5.2 or later.
For more details go to the OpenSSH security page.

To those wondering why they mention Debian

[cptnapalm]

It is because that happened to be the system that they found the vulnerability on.

Nothing more than that, really.

Re:How vulnerable?

[vadim_t]

That's the wrong way to check it.

Debian and Ubuntu are not going to upgrade to 5.2. They will take the security fix, backport it to 4.7, and release that as an update. If you check the version you'll get 4.7, even with the fix applied.

Re:Appreciable length?

[asdf7890]

> Patterson said that he did not believe this flaw > had been exploited in the wild, and that to > deduce a message of appreciable length could take > days.

Is my social security number a "message of appreciable length?"

Probably not on its own. Full packed it would take 33 bits, 11 bytes (88 bits, though if the attacker knew for sure that an SSN was being sent in those bytes the search space would not significantly greater than the 33 bits) if represented in pure ASCII text with separators.

As each attempt to read each 32 bits has a 11/2^18 chance of success, and assuming failure of one attempt does no extra clue as to which other patterns to try next, each 4 byte block is going to take on average 131,072 connections to infer from the server response so for the 11 byte ASCII string that is an average attack length of 393,216 connections.

While that isn't going to take long (at 4.5 connections per second you are looking at a day), any message being sent containing your SSN is going to be significatly longer than the SSN on its own so I wouldn't worry just yet.

We are still in "it would be a lot easier for the attacker to raid your bins, burgle your house, or steal records from your bank" territory here. Though there is the chance that someone improve the attack (or already has) so be vigilant and apply updated SSH packages as soon as practical once your distribution offers them.

Re:How to check SSH version

[supernova_hq]

Good lord, I'm actually canceling about 10 mod points to post this... "ssh -V" will give you the version of your CLIENT, not the server.

Re:Good Thing

[mzs]

It may sound funny, but the MIT Kerberos sources contain an version of telnet and telnetd that support encryption. There has not been a vulnerablity in that for a while that I know of. There was a stupid vulnerability in logind on Solaris though which that telnet used. Also there is an encrypted version of rsh, rshd, and klogind in that source code. That has not been anything reported on that in a while either, though I think you only get 3DES if I recall correctly.