Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability
Maybe there's a lesson to be learned from this SSH advisory: "Attacks always get better; they never get worse" [1]. I spent a little time looking for Bleichenbacher attacks on SSH more than two years ago. There was obviously a side channel disclosing decryption failures, but the best attack I could find was an an obscure 'academic attack' that had fairly hefty resource requirements: 2^20 interactions with the server, and ability to do TCP hijacking. At the time, I interpreted this as only a very minor attack, due to the strong assumptions required. Back in June 1998, I fired off a warning note to all the SSH folks I could think of [2], but quickly gave up and forgot about the whole thing when I never heard back from anyone [3]. I was mistaken in my assessment. We now know that Bleichenbacher attacks are a real threat. CORE SDI has described an insightful advance in analysis, a clever trick that can be used to exploit the same side channel that I wrongly considered useful only for academic attacks [4]. In short, I'm impressed by CORE SDI's contributions and humbled at overlooking the possibility for practical attacks. The lesson here seems clear. I should have known better: the mere presence of the side channel should have been enough justification to justify fixing the code, despite the impractical nature of attacks known then. Attacks only get better, and once the attacker gets a foot in the door with this sort of weakness, who knows where it will all end? Next time, maybe I'll know better; in the meantime, I thought the lesson might be worth mentioning. [1] I'm indebted to Bruce Schneier for this observation; see his April 15th Crypto-gram newsletter. [2] http://www.cs.berkeley.edu/~daw/tmp/ssh Available upon request (my website seems to be down at the moment, but hopefully will be back). [3] As a side note, this indicates to me that the vulnerability reporting process in place at SSH could probably be improved. I sent several repeated emails, but never heard once heard back from anyone, and soon gave up. [4] As one who has been previously guilty of perpetrating an 'academic attack' or two (when your analysis starts with "first guess 192 bits of the key", you know you're in the land of 'academic attacks'!), it seems that I can err equally well in both directions...
Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability
Hello, Yet another error in the advisory released last Wednesday. - Original Message - From: "Iván Arce" <[EMAIL PROTECTED]> Newsgroups: core.lists.bugtraq To: <[EMAIL PROTECTED]> Sent: Wednesday, February 07, 2001 6:25 PM Subject: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability > CORE SDI > http://www.core-sdi.com > SSH protocol 1.5 session key recovery vulnerability > > ... > -- cut here -- > > --- rsaglue.c 1999/12/10 23:27:25 1.8 > +++ rsaglue.c 2001/02/03 09:42:05 > @@ -264,7 +268,15 @@ >mpz_clear(&aux); > >if (value[0] != 0 || value[1] != 2) > -fatal("Bad result from rsa_private_decrypt"); > +{ > + static time_t last_kill_time = 0; > + if (time(NULL) - last_kill_time > 60 && getppid() != 1) > + { > + last_kill_time = time(NULL); > + kill(SIGALRM, getppid()); ... This is wrong wrong wrong and will produce unpredictable results on the server machine and does not fix the vulnerability either. The correct line is: + kill(getppid(),SIGALRM); Thanks to Matt Power from the Bindview RAZOR Team for pointing this out. The advisory at our web page has been updateed to reflect this change. -ivan --- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, Its nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==[ CORE Seguridad de la Informacion S.A. ]= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : [EMAIL PROTECTED] http://www.core-sdi.com Florida 141 2do cuerpo Piso 7 C1005AAC Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 = --- For a personal reply use [EMAIL PROTECTED]
Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability
In message <073f01c09136$ddc04240$2e58a8c0@ffornicario>, =?iso-8859-1?Q?Iv=E1n_ Arce?= writes: > OpenSSH > The vulnerability is present in OpenSSH up to version 2.3.0, > although it is not possible to exploit it due to limits imposed > on the number of simultaneous connections the server is allowed > to handle, This is a confusing way to put it. This attack is not feasible on OpenSSH. The connection limits takes care of it. If you are running OpenSSH 2.3.0, you are completely fine. Niels.
Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability (errata)
Just a small correction to the advisory just released: > http://www.core-sdi.com/bid/1949 > http://www.core-sdi.com/bid/1426 > http://www.core-sdi.com/bid/1323 > http://www.core-sdi.com/bid/1006 > http://www.core-sdi.com/bid/843 > http://www.core-sdi.com/bid/660 > should be: http://www.securityfocus.com/bid/1949 http://www.securityfocus.com/bid/1426 http://www.securityfocus.com/bid/1323 http://www.securityfocus.com/bid/1006 http://www.securityfocus.com/bid/843 http://www.securityfocus.com/bid/660 sorry for the cut&paste glitch. -ivan --- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, Its nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==[ CORE Seguridad de la Informacion S.A. ]= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : [EMAIL PROTECTED] http://www.core-sdi.com Florida 141 2do cuerpo Piso 7 C1005AAG Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 = --- For a personal reply use [EMAIL PROTECTED]
Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability
=?iso-8859-1?Q?Iv=E1n_Arce?= <[EMAIL PROTECTED]> writes: > Solution/Vendor Information/Workaround: [...] > SSH.com > ssh-1 up to version 1.2.31 is vulnerable. > The official response from SSH.com follows: > > -SSH1 is deprecated and SSH.com does not support it >anymore, the official response is upgrade to SSH2 > -The SSH1 compatibility code built into SSH-2.4.0 always executes a >fresh copy of SSHD1, which causes the server key to be regenerated >for every connection. Thus, the attack is not at all feasible when >using SSH1 with an SSH2 server in compatibility mode. I run a version 1 ssh.com sshd out of inetd using Wietse Venema's tcpd because tcp_wrappers support is incomplete/buggy in the daemon itself (at least in 1.2.27 -- haven't re-tested the later versions to see if they fix this). The daemon linked with libwrap doesn't support the rfc931 action and I've had problems with it being overly permissive when specifying allowed IP ranges. In this case: ssh stream tcp nowait root /usr/local/sbin/tcpd /usr/local/sbin/sshd -i as in the 2.4.0 SSH1 compatibility case mentioned above, there's a fresh daemon for each connection. Annoying waiting for the server key to be generated for each connection if your machine isn't blazing fast, but a side effect is that this attack is prevented. -- Dan Harkless | To prevent SPAM contamination, please [EMAIL PROTECTED] | do not mention this private email SpeedGate Communications, Inc. | address in Usenet posts. Thank you.