Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw Made Public In OpenSSH Encryption

Posted by timothy on from the days-to-whom dept.

alimo20 writes "Researchers at the Royal Holloway, University of London have discovered a flaw in Version 4.7 of OpenSSH on Debian/GNU Linux. According to ISG lead professor Kenny Patterson, an attacker has a 2^{-18} (that is, one in 262,144) chance of success. Patterson tells that this is more significant than past discoveries because 'This is a design flaw in OpenSSH. The other vulnerabilities have been more about coding errors.' The vulnerability is possible by a man-in-the-middle intercepting blocks of encrypted material as it passes. The attacker then re-transmits the data back to the server and counts the number of bytes before the server to throws error messages and disconnects the attacker. Using this information, the attacker can work backwards to figure out the first 4 bytes of data before encryption. 'The attack relies on flaws in the RFC (Request for Comments) internet standards that define SSH, said Patterson. ... Patterson said that he did not believe this flaw had been exploited in the wild, and that to deduce a message of appreciable length could take days.'"

30 of 231 comments (clear)

  1. Old version = old news by Anonymous Coward · · Score: 5, Informative

    OpenSSH 5.2 was released in February already which has builtin countermeasures against this form of "attack." Next.

    1. Re:Old version = old news by againjj · · Score: 4, Insightful

      The interesting part here is that more details have been released about what the flaw actually was. Before, it was merely "there is a flaw, and we have notified vendors", but now more details are available. In particular, that while 5.2 has countermeasures, it is a flaw in the protocol itself, and not the implementation. "Countermeasure" does not equal "completely solved".

    2. Re:Old version = old news by FunPika · · Score: 5, Informative

      I think it is all below 5.2 according to http://openssh.com/security.html.

      --
      After years of not using a signature, I am going to make one to say the following: Fuck Beta
    3. Re:Old version = old news by againjj · · Score: 4, Informative

      5.1 does not have the countermeasures. 5.2 does. Upgrade.

      Though, while the leaked information is significant, the chance at getting it in tiny, so the risk is small.

    4. Re:Old version = old news by Prof.Phreak · · Score: 4, Funny

      O_o

      $ ssh -V
      OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003

      --

      "If anything can go wrong, it will." - Murphy

    5. Re:Old version = old news by dave562 · · Score: 4, Insightful

      It may be the "old" version, but it is the version most readily available. I setup an Ubuntu server (9.04) a couple of months ago. I used apt to get OpenSSH on it last month. The version it retrieved is

      OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007

      Just because a new version is out doesn't mean people are using it. People who rely on package maintainers or "the community" to help them out and keep things up to date could very well be let down. Moral of the story, if you want something done right, you have to do it yourself.

    6. Re:Old version = old news by Hurricane78 · · Score: 4, Informative

      eix-sync && emerge -auDNtv world && echo "Yay :D"

      --
      Any sufficiently advanced intelligence is indistinguishable from stupidity.
    7. Re:Old version = old news by RazzleDazzle · · Score: 4, Funny

      More importantly: can you send me the output of "ifconfig" and "lynx -dump http://www.ipchicken.com/"

      --
      ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)
    8. Re:Old version = old news by X0563511 · · Score: 4, Funny

      eix-sync && emerge -auDNtv world; sleep 1374261893645973165479613; echo "FINALLY!"

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  2. Good Thing by neoform · · Score: 5, Funny

    Whew. Glad I use Telnet.

    --
    MABASPLOOM!
    1. Re:Good Thing by timeOday · · Score: 5, Funny

      But telnet transmits your credentials unencrypted! To be super-secure I simply avoid transmitting them in the first place...

      root@host# nc -l -p 1999 -c bash

      user@otherhost: nc otherhost 1999
      whoami
      rm -fR /

      (PS don't actually do this)

    2. Re:Good Thing by mzs · · Score: 4, Informative

      It may sound funny, but the MIT Kerberos sources contain an version of telnet and telnetd that support encryption. There has not been a vulnerablity in that for a while that I know of. There was a stupid vulnerability in logind on Solaris though which that telnet used. Also there is an encrypted version of rsh, rshd, and klogind in that source code. That has not been anything reported on that in a while either, though I think you only get 3DES if I recall correctly.

  3. SSH standard by jgtg32a · · Score: 4, Informative

    From the article it seems that it is more of a design flaw of SSH and not specifically OpenSSH

    And in other news it also appears that the word "chink" is banned in the comments section.

    1. Re:SSH standard by FMZ · · Score: 5, Funny

      Hmmm.... k. Seems there's an Asian-American in the armor of OpenSSH

  4. Re:Not much of a threat... by characterZer0 · · Score: 4, Informative

    Did you read the article?

    It indicates that it effects SSH in general, not only one particular implementation.

    --
    Go green: turn off your refrigerator.
  5. Design flaw by aaronfaby · · Score: 5, Interesting

    If the flaw is in the design of SSH, wouldn't all OS's be effected? Why does this only effect Debian?

    1. Re:Design flaw by Culture20 · · Score: 4, Funny

      Why does this only effect Debian?

      Damnit, it's affect.

      Not if the openSSH flaw were causing Debian to exist. Then it would be effecting Debian.
      http://crofsblogs.typepad.com/english/2005/08/effect_as_a_ver.html

  6. Wait, what? by JSBiff · · Score: 4, Insightful

    ". . .discovered a flaw in Version 4.7 of OpenSSH on Debian/GNU Linux."

    "The attack relies on flaws in the RFC (Request for Comments) internet standards that define SSH"

    So which is it, is it an implementation specific bug, which is specific to OpenSSH on Linux specifically, OpenSSH on all O/Ses, or is it a flaw in the RFC, which should make it exploitable on *all* implementations of SSH, shouldn't it? How can a flaw in the standard only be exploitable in one version of one implementation of the standard on one specific target OS?

    1. Re:Wait, what? by JSBiff · · Score: 4, Insightful

      I *did* read the TFA, and it really wasn't clear in the article at all. Why even bother mentioning Debian and Linux, if the problem was an SSH problem, and not at all specific to Debian or Linux? Seems like it was just a somewhat poorly written article, adding confusion where there didn't have to be. People will take away from this that this is a Linux problem, and might not consider the possibility that, e.g. Mac OS X (which I believe includes some version of OpenSSH) may *possibly* be shipping an affected version of the software (I'm not saying it is, I'm just saying that the article author wrote the article in such a way that it appears the problem is strongly linked to Linux, when it sounds, upon further examination, like it isn't).

      It's really not definitive from the article whether or not other implementations are or might be affected, despite your assertion.

  7. Original advisory by againjj · · Score: 4, Informative

    http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt

  8. Some Additional Perspective FTA by Fantom42 · · Score: 4, Insightful

    FTA, this vulnerability is addressed in newer versions of OpenSSH, not by fixing the specification, but by employing some kind of workaround to make it impractical. I didn't know that from the summary, since I don't really keep current on where OpenSSH is with their releases.

    It seems like this attack has an awfully small chance of success. I am wondering if there is that small chance of success to decode a message after many days, or if because of the small chance of success, it would take multiple days before you had anything.

    If this is really something that has almost no chance of working at all--period, I'm not too worried. If it is something that makes the encryption breakable in a few days, that's a pretty big deal and am surprised that it didn't get outed sooner as a flaw.

    Can/should the RFC be revised to close this hole? Are there other (perhaps more obvious) examples of weakness in the RFC that have implementation-specific fixes applied?

  9. Why so much press on this? by spinkham · · Score: 5, Informative

    This flaw was published in Nov 2008 with simple configuration fix, and OpenSSH released a default fixed version in March 2009.
    Also, this attack gives only 4 bytes of unencrypted output after crashing your session many thousands of times, which is sure to be noticed. If you were repeating the exact same network traffic in millions of SSH sessions, an attacker might get something interesting after weeks of crashing your sessions. It's just one of the lamest exploits I've seen, worth mitigating eventually, but not worth all the press it's getting, especially 6 months after release...
    The fix is simple, just use CTR mode encryption instead of CBC, or upgrade to OpenSSH 5.2 or later.
    For more details go to the OpenSSH security page.

    --
    Blessed are the pessimists, for they have made backups.
  10. To those wondering why they mention Debian by cptnapalm · · Score: 4, Informative

    It is because that happened to be the system that they found the vulnerability on.

    Nothing more than that, really.

  11. Re:Not much of a threat... by morgan_greywolf · · Score: 5, Insightful

    Yes. That's why we now have replaced telnet/rsh/rcp and authenticated FTP with ssh and scp, NIS with LDAP+Kerberos, /etc/shadow, authentication in NFS, support for other filesystems like CIFS, etc.

    Microsoft, for their part, haven't changed all that much.

    --
    My blog
  12. Re:How vulnerable? by vadim_t · · Score: 5, Informative

    That's the wrong way to check it.

    Debian and Ubuntu are not going to upgrade to 5.2. They will take the security fix, backport it to 4.7, and release that as an update. If you check the version you'll get 4.7, even with the fix applied.

  13. Re:Appreciable length? by asdf7890 · · Score: 4, Informative

    > Patterson said that he did not believe this flaw > had been exploited in the wild, and that to > deduce a message of appreciable length could take > days.

    Is my social security number a "message of appreciable length?"

    Probably not on its own. Full packed it would take 33 bits, 11 bytes (88 bits, though if the attacker knew for sure that an SSN was being sent in those bytes the search space would not significantly greater than the 33 bits) if represented in pure ASCII text with separators.

    As each attempt to read each 32 bits has a 11/2^18 chance of success, and assuming failure of one attempt does no extra clue as to which other patterns to try next, each 4 byte block is going to take on average 131,072 connections to infer from the server response so for the 11 byte ASCII string that is an average attack length of 393,216 connections.

    While that isn't going to take long (at 4.5 connections per second you are looking at a day), any message being sent containing your SSN is going to be significatly longer than the SSN on its own so I wouldn't worry just yet.

    We are still in "it would be a lot easier for the attacker to raid your bins, burgle your house, or steal records from your bank" territory here. Though there is the chance that someone improve the attack (or already has) so be vigilant and apply updated SSH packages as soon as practical once your distribution offers them.

  14. Re:OKay by swillden · · Score: 4, Funny

    The 2^-18 is _really_scary_

    The 'first 4 bytes', not so much.

    So, meh. Of course true hardcore cryptanalysts are sure to be already ditching OpenSSH or maybe piping it through GPG first.

    Fuck gubfr onfgneqf, ebg13 vf tbbq rabhtu sbe nalbar.

    Allow me to translate:

    $ echo "Fuck gubfr onfgneqf, ebg13 vf tbbq rabhtu sbe nalbar." | caesar
    Shpx those bastards, rot13 is good enough for anyone.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  15. Re:How to check SSH version by supernova_hq · · Score: 4, Informative

    Good lord, I'm actually canceling about 10 mod points to post this... "ssh -V" will give you the version of your CLIENT, not the server.

  16. I wish people would try to understand CRYPTO hacks by omb · · Score: 4, Interesting

    This was never a real threat, just another piece of Academic FUD. To be vulnerable as an interactive ssh user you would have to ignore 100,000 aborted sessions to expose 14 bits of plaintext, I think I would notice, and block the attacker.

    There are a whole suite of cyphers, including AES aka Rijhndael are configurable, have you done yours?, and not vulnerable.

    Finally the protocol is trivially fixed.

    Now I for one, whilst I have the highest respect for the work done by people like Ross Anderson and Schnieer am fed up to the back teeth with alarmism from governments, NGOs and academics -- all of which add up to give us more money.

    If you dont know these researchers were working for the UK equivalent of Homeland Security and failed to inform SSH of the details of the attack, doubtless quoting National Security.

    These people who parade nonsense should be tarred an feathered and sent on the next rail.

  17. Re:How vulnerable? by chrysalis · · Score: 4, Insightful

    If your security scanner reports a vulnerability based on banners instead of testing the real flaw, they are flawed.
    Such security scanners feed the myth that changing/removing banners magically makes your network secure.

    --
    {{.sig}}