Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Plaintext Recovery Attack Against OpenSSH InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Plaintext Recovery Attack Against OpenSSH

Published: 2008-11-18
Last Updated: 2008-11-18 17:56:30 UTC
by Joel Esler (Version: 4)
2 comment(s)

This morning we've received a couple emails and a post in our IRC channel (#dshield on concerning a Plaintext Recovery Attack against OpenSSH.  Specifically version 4.7p1, which is quite old.


From the article:

"If exploited, this attack can potentially allow an attacker to
recover up to 32 bits of plaintext from an arbitrary block of
ciphertext from a connection secured using the SSH protocol in
the standard configuration. If OpenSSH is used in the standard
configuration, then the attacker's success probability for
recovering 32 bits of plaintext is 2^{-18}. A variant of the
attack against OpenSSH in the standard configuration recovers 14
bits of plaintext with probability 2^{-14}. The success probability
of the attack for other implementations of SSH is not known."

Here's a link to the article itself:  here.  So that you may read at your leisure.

Here's a link to OpenSSH's Security Page: here.

The current version of OpenSSH is 5.1, and it's been out since July.  So make sure you are patched by running "ssh -V" on the command line.

I just did it on my OSX Machine and I am running 5.1p1. 

UPDATE:  Received an email from a reader, (thanks Jack!), Ubuntu 8.04, updated as of this morning is still running OpenSSH 4.7p1.

UPDATE 2:  A workaround apparently, from information I have just read (at least for SSH Tectia Products) is to stop using CBC mode block cyphers.  At least in the SSH Tectia products, you can use the CryptiCore or Arcfour encryption algorithm.

UPDATE 3:  The likelyhood of successful attack is LOW according to the link I posted to the article above, the vulnerability requires "retransmission of plaintext on reconnect to be successful".  I'm not saying that 5.1 is not vulnerable.  I am saying that 5.1 is the current version, just so there is no misconception.  CPNI says: "We expect any RFC-compliant SSH implementation to be vulnerable to some form of the attack."

We're not telling you to stop using SSH, by no means.  We expect updates to be posted that switch encryption algorithms.

We won't be raising the Infocon anytime soon unless we start seeing patterns of attack, or an exploit comes out that makes it very simple to exploit this vulnerability.  As you know, our Infocon doesn't get raised on every little thing.  We discuss it internally heavily before we move it in any direction.


-- Joel Esler


2 comment(s)
Diary Archives