SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#958563

SSH CBC vulnerability

Overview

A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to recover plaintext from a block of ciphertext.

I. Description

The Secure Shell (SSH) is a network protocol that creates a secure channel between two networked devices in order to allow data to be exchanged. SSH can create this secure channel by using Cipher Block Chaining (CBC) mode encryption. This mode adds a feedback mechanism to a block cipher that operates in a way that ensures that each block is used to modify the encryption of the next block.

SSH contains a vulnerability in the way certain types of errors are handled. Attacks leveraging this vulnerabilty would lead to the loss of the SSH session. According to CPNI Vulnerability Advisory SSH:

    If exploited, this attack can potentially allow an attacker to recover up to 32 bits of plaintext from an arbitrary block of ciphertext from a connection secured using the SSH protocol in the standard configuration. If OpenSSH is used in the standard configuration, then the attacker's success probability for recovering 32 bits of plaintext is 2^{-18}. A variant of the attack against OpenSSH in the standard configuration can verifiably recover 14 bits of plaintext with probability 2^{-14}. The success probability of the attack for other implementations of SSH is not known.

II. Impact

An attacker may be able to recover up to 32 bits of plaintext from an arbitrary block of ciphertext.

III. Solution

We are currently unaware of a practical solution to this problem.

Use CTR Mode

SSH can be done using Counter (CTR) mode encryption. This mode generates the keystream by encrypting successive values of a "counter" function. For more information see the Block Cipher Modes article on wikipedia.

In order to mitigate this vulnerabilty SSH can be setup to use CTR mode rather CBC mode. According to CPNI Vulnerability Advisory SSH:
The most straightforward solution is to use CTR mode instead of CBC mode, since this renders SSH resistant to the attack. An RFC already exists to standardise counter mode for use in SSH (RFC 4344) ...

Systems Affected

VendorStatusDate NotifiedDate Updated
BitviseVulnerable2008-11-072008-11-24
FiSSHVulnerable2008-11-072008-11-24
Icon LabsVulnerable2008-11-072008-11-24
OpenSSHVulnerable2008-11-072008-11-24
OSSHVulnerable2008-11-072008-11-24
PuTTYVulnerable2008-11-072009-01-05
Redback Networks, Inc.Vulnerable2008-11-072008-11-24
SSH Communications Security CorpVulnerable2008-11-072008-11-24
TTSSHVulnerable2008-11-072008-11-24
VanDyke SoftwareVulnerable2008-11-072009-01-12
Wind River Systems, Inc.Vulnerable2008-11-072008-11-24

References


http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
http://isc.sans.org/diary.html?storyid=5366
http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation

Credit

Thanks to CPNI for reporting this vulnerability.

This document was written by Chris Taschner.

Other Information

Date Public:2008-11-14
Date First Published:2008-11-24
Date Last Updated:2009-01-12
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:0.30
Document Revision:16

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader