Contributed by ray on from the DON'T-PANIC! dept.
OpenSSH Security Advisory: cbc.adv
Regarding the "Plaintext Recovery Attack Against SSH" reported as CPNI-957037:
The OpenSSH team has been made aware of an attack against the SSH protocol version 2 by researchers at the University of London. Unfortunately, due to the report lacking any detailed technical description of the attack and CPNI's unwillingness to share necessary information, we are unable to properly assess its impact.
Based on the description contained in the CPNI report and a slightly more detailed description forwarded by CERT this issue appears to be substantially similar to a known weakness in the SSH binary packet protocol first described in 2002 by Bellare, Kohno and Namprempre. The new component seems to be an attack that can recover 14 bits of plaintext with a success probability of 2^-14, though we suspect this underestimates the work required by a practical attack.
For most SSH usage scenarios, this attack has a very low likelihood of being carried out successfully - each attempt has a low probability of success and each failure will cause connection termination with a fatal error. It is therefore very unlikely for an interactive session to be usefully attacked using this protocol weakness: an attacker would expect around 11356 connection-killing attempts before they are likely to succeed. This level of disruption would certainly be noticed and it is highly unlikely that any user would retry the connection enough times for the attack to succeed.
The usage pattern where the attack is most likely to succeed is where an automated connection is configured to retry indefinitely in the event of errors. In this case, it might be possible to recover on average 44 bits of plaintext per hour (assuming a very fast 10 connections per second). Implementing a limit on the number of connection retries (e.g. 256) is sufficient to render the attack infeasible for this case.
AES CTR mode and arcfour ciphers are not vulnerable to this attack at all. These may be preferentially selected by placing the following directive in sshd_config and ssh_config:
Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc
A future version of OpenSSH may make CTR mode ciphers the default and/or implement other countermeasures, but at present we do not feel that this issue is serious enough to make an emergency release.
Thanks, Damien, for clarifying this issue. I'm sure many were concerned, but don't worry! You're in good hands.
Update: Markus Friedl (markus@) committed a change to further reduce the likelihood of this attack:
CVSROOT: /cvs Module name: src Changes by: markus@ 2008/11/21 08:47:38 Modified files: usr.bin/ssh : packet.c Log message: packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
Update 2: Damien updated the advisory:
This is the second revision of this advisory, correcting an error in the estimated number of connection attempts required for a successful attack.
(Comments are closed)
By Alex Hafey (199.67.138.153) on
At least one implementation has been given this, why not OpenSSH?
I'm not far away from these guys, just let me know ;-)
Comments
By Marc Espie (213.41.185.88) espie@openbsd.org on
>
> At least one implementation has been given this, why not OpenSSH?
>
> I'm not far away from these guys, just let me know ;-)
I really should make an habit of keeping copies of webpages when
they first appear.
From what I recall, there is some SERIOUS retcon going on. Specifically, I distinctly recall the first version of the advisories did say that `vendors have been notified'... which is obviously wrong, as you can see.
I'm seriously peeved about the current security market. It seems those guys are fairly desperate to be the FIRST to publish a security vulnerability, to the extent that they will even FOREGO communicating with the actual team that develops the software.
So, to cut to the chase, I believe those guys don't give a FUCK about the security of computer systems. All they care about is their precious list of publications... Otherwise, Damien would already be 100% aware of all the details of the attack...
Wow. You live near them ? feel free to copy/paste and give them this text. I'd be DELIGHTED to learn what they have to say about this.
WITHOUT any legalese, nor other crap. Why don't they play with us ? Damien and friends gave them openssh... NOT debian, NOT any other vendor...
Comments
By Marc Espie (213.41.185.88) espie@openbsd.org on
Okay, I've been informed Theo got some "information" from CPNI... He told us to repost that information on mailing-lists.
Here follows a copy of the document (the original is a pdf, but fortunately, we have tools to extract text from that).
So yes, looks very much like empty red tape to try and protect their asses... Warning: large empty dumb void inside.
Comments
By Anonymous Coward (87.144.88.30) on
You should have written that at the top of your comment.
Would have saved me several minutes figuring out what they are trying to say.
Thanks for sharing anyway.
Comments
By Otto Moerbeek (otto) on http://www.drijf.net
> You should have written that at the top of your comment.
> Would have saved me several minutes figuring out what they are trying to say.
> Thanks for sharing anyway.
I can expect such documents from government institutions. But what I find worse is that the original researchers at the University of London that found the problem go along or even agree with this bureaucratic stuff that decreases security instead of increasing it.
This goes so against the nature of a University. Knowledge should be shared, especially knowledge regarding vulnerabilities. It shows how corrupted researchers have become by making themselves dependent on businesses and governments.
Comments
By Chris Wareham (80.176.91.102) chriswareham@chriswareham.demon.co.uk on www.chriswareham.demon.co.uk
> > You should have written that at the top of your comment.
> > Would have saved me several minutes figuring out what they are trying to say.
> > Thanks for sharing anyway.
>
> I can expect such documents from government institutions. But what I find worse is that the original researchers at the University of London that found the problem go along or even agree with this bureaucratic stuff that decreases security instead of increasing it.
>
> This goes so against the nature of a University. Knowledge should be shared, especially knowledge regarding vulnerabilities. It shows how corrupted researchers have become by making themselves dependent on businesses and governments.
>
The researchers didn't make themselves dependent on business out of choice. The universities in the UK have always been dependent on government, and it is the government that is now forcing them to be dependent on business. Just like the public health system, partnerships with business are being foisted on institutions although it is contrary to their interest as public bodies.
Frankly, as a graduate of the University of London - and one who spent his first year at Royal Holloway - this makes me very upset. The most frustrating thing is that now both of the major UK political parties support this inappropriate commercialisation of universities rather than encouraging a healthy research environment.
Comments
By Anonymous Coward (128.171.90.200) on
Comments
By Anonymous Coward (74.13.28.37) on
No, it simply has poor priorities.
By Anonymous Coward (66.42.183.199) on
Distributors need to keep something going, so they validate anything.
The security market is amazingly corrupt, and incompetent.
We all know this. DJB, wants to put them all out of business.
Look at what UK named group uses for communication to them, PGP Desktop 9.5.3. Enough said.
What else would you expect? Also no real security people distribute info with pdf if they have a choice.
Win doze idiots.
USA CERT helped break up full disclosure by closing things up, and charging $. They made security worse, all this in 2003. Rise of Secunia proves this. See http://www.internetnews.com/dev-news/article.php/2170381
FBI infraguard and others, grr, for those outside of USA, worked some ends for full disclosure to die off.
While I expect most of undeadly readers to know this stuff, I post this as a record to outsiders, governments and groups have made security WORSE off, this is a 5 year later summary of how their bad their methods STILL are.
What else would you expect from USA "influences"?
Comments
By kitche (71.243.190.83) on
>
> What else would you expect? Also no real security people distribute info with pdf if they have a choice.
>
umm real security people prefer pdf, since it is an open standard now and gives the pages wonderful output unless you want a real ugly email that no one can read like the SSH email that was sent out.
Comments
By Dmitri Alenichev (mitya) on http://rootshell.be/~mitya/
everybody can read email ;-)
Comments
By Terrell Prude' Jr. (151.188.18.46) tprude@cmosnetworks.com (this is a spamtrap address) on http://www.cmosnetworks.com/
>
> everybody can read email ;-)
And everybody can also read PDF. :-)
By Terrell Prude' Jr. (151.188.18.46) tprude@cmosnetworks.com (this is a spamtrap address) on http://www.cmosnetworks.com/
After the machinations of our current administration, I can't blame you for saying that. Yep, our government is plenty corrupt, as are all others. No, unfortunately, it's not unique to my country; Tony Blair of the UK and Alan Garcia of Peru are also "joined at the hip" to the likes of Bush. And Clinton was just as bad, I can assure you. Remember, he's the one who pushed that disgusting "Clipper" chip in 1993, and it was his administration that instigated that witch-hunt upon Phil Zimmerman for writing PGP.
Lord Acton was right. Power tends to corrupt.
The fact that my Congress just two months ago voted US $700 billion (thousand million) for fat cats on Wall Street is plenty proof for me just how big our problem is. And President-Elect Obama SUPPORTS this lunacy!! Oh, and this was totally against the stated wishes of the American people, BTW. We the people did *not* want them to do that. Matter of fact, there were millions of calls to Congress-critters telling them *not* to do that. But they did it anyway. The question is, will enough voters remember it two years from now when the midterm election comes around? Somehow, I doubt it.
And as for "security" teams, the one I trust the most is the OpenBSD development team.
--TP