Vulnerability Note VU#850440
SSH1 may generate weak passphrase when using Secure RPC
The secure-RPC feature of the SSH1 client in Solaris sometimes encrypts the SSH private key file with a weak passphrase, which can be determined by an attacker and used to recover the SSH private keys. Other versions of the SSH client running on non-Solaris platforms are not affected by this vulnerability.
On the Solaris operating system, SSH includes a feature to use Secure RPC credentials instead of requiring a separate user-supplied passphrase for SSH. This is beyond the intended use of Secure RPC and is not endorsed or in any way supported by Sun.
When the user elects to use this feature by typing "SUN-DES-1" as their SSH passphrase, SSH computes a "magic phrase" based on the user's Secure RPC public and private keys. This magic phrase is used as the passphrase to encrypt the user's SSH private key file.
A weakly-encrypted key file may be used to obtain unauthorized privileges of affected users. The impact is based on the sensitivity of the information being communicated through SSH.
SSH1 users should install the patch available at: http://www.ssh.com/products/ssh/patches.html
Always authenticate to Secure RPC before generating SSH keys using the "SUN-DES-1" passphrase. If your login password is the same as your Secure RPC password, the standard Solaris login methods (login, dtlogin, etc.) will authenticate you to Secure RPC. Otherwise, you should run keylogin to authenticate to Secure RPC.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|SSH Communications Security||Affected||-||13 Jun 2001|
|Sun||Affected||23 Apr 2001||07 Jun 2001|
CVSS Metrics (Learn More)
Thanks to Richard Silverman for discovering this vulnerability and reporting it to the BugTraq mailing list at SecurityFocus.
This document was written by Shawn Van Ittersum.
- CVE IDs: CVE-2001-0259
- Date Public: 16 Jan 2001
- Date First Published: 13 Jun 2001
- Date Last Updated: 25 Oct 2001
- Severity Metric: 1.89
- Document Revision: 22
If you have feedback, comments, or additional information about this vulnerability, please send us email.