Vulnerability Note VU#958563

SSH CBC vulnerability

Original Release date: 24 Nov 2008 | Last revised: 12 Jan 2009


A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to recover plaintext from a block of ciphertext.


The Secure Shell (SSH) is a network protocol that creates a secure channel between two networked devices in order to allow data to be exchanged. SSH can create this secure channel by using Cipher Block Chaining (CBC) mode encryption. This mode adds a feedback mechanism to a block cipher that operates in a way that ensures that each block is used to modify the encryption of the next block.

SSH contains a vulnerability in the way certain types of errors are handled. Attacks leveraging this vulnerabilty would lead to the loss of the SSH session. According to CPNI Vulnerability Advisory SSH:

    If exploited, this attack can potentially allow an attacker to recover up to 32 bits of plaintext from an arbitrary block of ciphertext from a connection secured using the SSH protocol in the standard configuration. If OpenSSH is used in the standard configuration, then the attacker's success probability for recovering 32 bits of plaintext is 2^{-18}. A variant of the attack against OpenSSH in the standard configuration can verifiably recover 14 bits of plaintext with probability 2^{-14}. The success probability of the attack for other implementations of SSH is not known.


An attacker may be able to recover up to 32 bits of plaintext from an arbitrary block of ciphertext.


We are currently unaware of a practical solution to this problem.

Use CTR Mode

SSH can be done using Counter (CTR) mode encryption. This mode generates the keystream by encrypting successive values of a "counter" function. For more information see the Block Cipher Modes article on wikipedia.

In order to mitigate this vulnerabilty SSH can be setup to use CTR mode rather CBC mode. According to CPNI Vulnerability Advisory SSH:
The most straightforward solution is to use CTR mode instead of CBC mode, since this renders SSH resistant to the attack. An RFC already exists to standardise counter mode for use in SSH (RFC 4344) ...

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
BitviseAffected07 Nov 200824 Nov 2008
FiSSHAffected07 Nov 200824 Nov 2008
Icon LabsAffected07 Nov 200824 Nov 2008
OpenSSHAffected07 Nov 200824 Nov 2008
OSSHAffected07 Nov 200824 Nov 2008
PuTTYAffected07 Nov 200805 Jan 2009
Redback Networks, Inc.Affected07 Nov 200824 Nov 2008
SSH Communications Security CorpAffected07 Nov 200824 Nov 2008
TTSSHAffected07 Nov 200824 Nov 2008
VanDyke SoftwareAffected07 Nov 200812 Jan 2009
Wind River Systems, Inc.Affected07 Nov 200824 Nov 2008
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to CPNI for reporting this vulnerability.

This document was written by Chris Taschner.

Other Information

  • CVE IDs: Unknown
  • Date Public: 14 Nov 2008
  • Date First Published: 24 Nov 2008
  • Date Last Updated: 12 Jan 2009
  • Severity Metric: 0.30
  • Document Revision: 16


If you have feedback, comments, or additional information about this vulnerability, please send us email.