OpenBSD Journal

[OpenSSH] Clarification of SSH1 Vulnerabilites

Contributed by Dengue on from the markus dept.

Markus Friedl (the not often enough credited primary developer of OpenSSH), has posted to misc@ and BUGTRAQ, et al, a Special Security Note about OpenSSH and the recent SSH Protocol version 1 implementation weaknesses.

Read more for the full report:


Subject: OpenSSH is _not_ vulnerable the several known problems in SSH-1
   Date: Thu, 15 Feb 2001 09:13:41 +0100
   From: Markus Friedl

    To:  openssh-unix-dev@mindrot.org, ssh@clinet.fi, security-announce@openbsd.org, 
         misc@openbsd.org
    CC:  bugtraq@securityfocus.com




-----------------------------------------------------------------------
                
                  Special OpenBSD Security Note
                                 
                        February 14, 2001
                                 
 OpenSSH is _not_ vulnerable the several known problems in SSH-1

-----------------------------------------------------------------------

The CERT Coordination Center has published the following notes about
weaknesses in various SSH protocol version 1 implementations.

Since many people using OpenSSH are worried about these issues,
we decided to publish these notes.

1) http://www.kb.cert.org/vuls/id/565052
   "Passwords sent via SSH encrypted with RC4 can be easily cracked"

2) http://www.kb.cert.org/vuls/id/665372
   "SSH connections using RC4 and password authentication can be
   replayed"

3) http://www.kb.cert.org/vuls/id/25309
   "Weak CRC allows RC4 encrypted SSH packets to be modified without
   notice"

4) http://www.kb.cert.org/vuls/id/684820
   "SSH allows client authentication to be forwarded if encryption
   is disabled"

5) http://www.kb.cert.org/vuls/id/315308
   "Last block of IDEA-encrypted SSH packet can be changed without
   notice"

6) http://www.kb.cert.org/vuls/id/786900
   "SSH host key authentication can be bypassed when DNS is used
   to resolve localhost"

7) http://www.kb.cert.org/vuls/id/118892
   "Older SSH clients do not allow users to disable X11 forwarding"

OpenSSH is _not_ vulnerable to #1, #2 and #3 since OpenSSH does not
allow RC4 in its SSH protocol 1 implementation.

OpenSSH is _not_ vulnerable to #4 since OpenSSH does not allow
encryption to be disabled.

OpenSSH is _not_ vulnerable to #5 since OpenSSH does not support
IDEA.

OpenSSH is _not_ vulnerable to #6 since OpenSSH does not resolve
"localhost".  OpenSSH uses the resolved IP-address and disables the
host key authentication for 127.0.0.1 only.

OpenSSH is _not_ vulnerable to #7 since OpenSSH permits users to
disable X11 forwarding, and this is the default configuration in
the OpenSSH client.

The SSH protocol version 2 (a.k.a. SecSH) is not affected by problems
#1, #2, #3, #4 and #5.

The OpenSSH client currenly defaults to preferring SSH-1 protocol
over SSH-2 protocol, but in a future release the default will soon
change, since the SSH-2 protocol support has improved considerably.

-----------------------------------------------------------------------

(Comments are closed)


Comments
  1. By brendan () zarathustra@iwon.com on mailto:zarathustra@iwon.com

    Same link issue as last posting.

    Are you doing a cut and paste?
    :>

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]