[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] Weaknesses in the SSH protocol

To: linux-security
Subject: [linux-security] Weaknesses in the SSH protocol
From: Martin Siegert <siegert@sfu.ca>
Date: Fri, 6 Apr 2001 13:40:19 -0700
User-Agent: Mutt/1.2.5i

Topic
=====
Possible to determine password length

Problem description
===================
Weaknesses in the SSH protocols can be used by a passive attacker to deduce
information about passwords entered over an encrypted connection.  This
information can be used to reduce the number of possible solutions which
need to be tested to perform a brute-force attack. This reduces the amount
of time and resources required to mount such an attack successfully.

OpenSSH 2.5.1 and 2.5.2 include modifications which, while not completely
resolving this problem, reduce the risks by changing certain server
behaviors to make passive analysis more difficult.

Affected Systems
================
All versions of ssh. OpenSSH with versions >= 2.5.1 are not vulnerable.
I do not know whether the commercial SSH version (from www.ssh.com) has
a fix available.

Solution
========
Upgrade to openssh-2.5.2p2
Please, read the Remarks section at the end of this advisory!

RedHat 7.0
----------
rpm -Fvh openssh-2.5.2p2-1.7.i386.rpm \
         openssh-askpass-2.5.2p2-1.7.i386.rpm \
         openssh-askpass-gnome-2.5.2p2-1.7.i386.rpm \
         openssh-clients-2.5.2p2-1.7.i386.rpm \
         openssh-server-2.5.2p2-1.7.i386.rpm

RedHat 6.x
----------
RedHat 6.x did not come with openssh. I have rebuild the RedHat 7 rpms
for RedHat 6.x (for x < 2 you will have to upgrade you initscript package
in order to use this: rpm -Fvh initscripts-5.00-1.i386.rpm). In order to
use these packages you must upgrade the openssl package to version 0.9.6.
All of these packages can be found on sphinx in
/vol/vol1/distrib/redhat/contrib. Upgrade with
rpm -Fvh openssl-0.9.6-1.i386.rpm \
         openssl-devel-0.9.6-1.i386.rpm \
         openssl-misc-0.9.6-1.i386.rpm \
         openssh-2.5.2p2-1.6.x.i386.rpm \
         openssh-askpass-2.5.2p2-1.6.x.i386.rpm \
         openssh-askpass-gnome-2.5.2p2-1.6.x.i386.rpm \
         openssh-clients-2.5.2p2-1.6.x.i386.rpm \
         openssh-server-2.5.2p2-1.6.x.i386.rpm
Please email me, if you find problems with these rpms.
Alternatively you can upgrade using the packages from www.openssh.com.

Mandrake 7.0
------------
rpm -Fvh openssh-2.5.2p2-1.6mdk.i586.rpm \
         openssh-askpass-2.5.2p2-1.6mdk.i586.rpm \
         openssh-askpass-gnome-2.5.2p2-1.6mdk.i586.rpm \
         openssh-clients-2.5.2p2-1.6mdk.i586.rpm \
         openssh-server-2.5.2p2-1.6mdk.i586.rpm

Mandrake 7.1
------------
rpm -Fvh openssh-2.5.2p2-1.5mdk.i586.rpm \
         openssh-askpass-2.5.2p2-1.5mdk.i586.rpm \
         openssh-askpass-gnome-2.5.2p2-1.5mdk.i586.rpm \
         openssh-clients-2.5.2p2-1.5mdk.i586.rpm \
         openssh-server-2.5.2p2-1.5mdk.i586.rpm

Mandrake 7.2
------------
rpm -Fvh openssh-2.5.2p2-1.4mdk.i586.rpm \
         openssh-askpass-2.5.2p2-1.4mdk.i586.rpm \
         openssh-askpass-gnome-2.5.2p2-1.4mdk.i586.rpm \
         openssh-clients-2.5.2p2-1.4mdk.i586.rpm \
         openssh-server-2.5.2p2-1.4mdk.i586.rpm

Remarks
=======
1) There is a bug in all versions of OpenSSH upto (and including) 2.5.1p1:
   the rijndael/aes implementation was not having the correct endian macros
   defined and was defaulting to little endian in all cases. In previous
   versions this was usually not a problem because rijndael/aes was a fair
   way down on the list of ciphers that were negotiated. However, in version
   2.5.2p2 rijndael/aes was moved so that it is always negotiated if the
   client & server support it. This becomes a problem, if you try to make
   a connection from a machine running 2.5.2p2 to a big endian machine
   (e.g., Suns, SGIs, etc.) running openssh versions < 2.5.2p2. If you
   see an error message similar to

 c2 2c 5e 45 38 ea 9a 73 7d d1 23 5b 8e a1 84 7b
Disconnecting: Bad packet length -1037279675.

  you ran into this problem. Connection with a different cipher solves
  this problem, e.g.,
  # ssh -c 3des-cbc <hostname>
  should work.
  At SFU this should not be a problem since all Suns in ACS/OTS (fraser, etc.)
  were upgraded to version 2.5.2p2.

2) This version of OpenSSH will use a RSA key for ssh protocol version 2 by
   default. That is it will use the RSA server key even if the RSA key 
   is not present in your ~/.ssh/authorized_keys2 file but the DSA is.
   This behaviour will result in a message

The authenticity of host 'xyz (w.x.y.z)' can't be established.
RSA key fingerprint is 4b:f8:81:be:9e:bc:7d:0c:37:e6:ba:c8:30:72:6e:0c.
Are you sure you want to continue connecting (yes/no)?

   You will even see this message although you had made connections to that
   host before. You can disable this behaviour in ssh servers by commenting
   out the RSA key in the /etc/ssh/sshd_config file:
   replace

HostKey /etc/ssh/ssh_host_rsa_key

   with

#HostKey /etc/ssh/ssh_host_rsa_key

   All Suns in ACS/OTS have RSA keys for protocol version 2 disabled.

Follow-Ups:
- Re: [linux-security] Weaknesses in the SSH protocol
  - From: Martin Siegert <siegert@sfu.ca>

Prev by Date: Re: [linux-security] local root exploit in Linux kernel (Caldera)
Next by Date: [linux-security] ALERT: remote root exploit in ntpd
Prev by thread: Re: [linux-security] ALERT: remote root exploit in ntpd (addendum)
Next by thread: Re: [linux-security] Weaknesses in the SSH protocol
Index(es):
- Date
- Thread