search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Weak CRC allows RC4 encrypted SSH1 packets to be modified without notice

Vulnerability Note VU#25309

Original Release Date: 2001-01-18 | Last Revised: 2002-03-05

Overview

There is an information integrity vulnerability in the SSH1 protocol that allows RC4 encrypted packets to be modified without notice.

Description

Preconditions:

Client has requested RC4 and server supports it.
Compression is disabled.

When using the RC4 stream cipher, SSH1 uses a cyclic redundancy check (CRC) algorithm to perform an integrity check on incoming packets. Because the CRC checksum can be modified, an attacker can intercept an SSH packet, modify its contents, then modify the CRC to match. When the packet is then retransmitted from the attacker to the victim, the CRC integrity check will pass. This means that the attacker can make arbitrary modifications to the packet and the victim will be unable to detect them. This vulnerability results from the fact that CRC is not intended for cryptographic integrity checks. As a result, the CRC algorithm does not contain any security measures to prevent tampering with the checksum.

To exploit this vulnerability, an attacker must:

    • Take a SSH packet of the form P | C, where P is the packet data and C is the CRC checksum for that packet.
    • Create a mask M, which contains the bits in P that you want to toggle.
    • Calculate the CRC for M and call it C'.
    • Use XOR to create the following packet: P XOR M | C XOR C'
    • Send the modified packet to the victim in place of the original packet.

Because the CRC has been modified to account for the "addition" of M, the CRC integrity check on the victim's SSH client will pass.

Impact

Attackers can modify or logically delete arbitrary SSH packets.

Solution

SSH Secure Communications recommends disabling RC4 in SSH1 or upgrading to SSH2.

Vendor Information

25309
Expand all

SSH Communications Security

Updated:  February 06, 2001

Status

  Vulnerable

Vendor Statement

RC4 was disabled from SSH Corp.'s distribution in 1997.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSH

Updated:  October 29, 2001

Status

  Not Vulnerable

Vendor Statement

See http://www.openssh.com/security.html.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The CERT/CC thanks Antti Huima, Tuomas Aura, and Janne Salmi for their analysis and Tatu Ylonen for bringing this vulnerability to our attention.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: None
Severity Metric: 0.39
Date Public: 2001-01-18
Date First Published: 2001-01-18
Date Last Updated: 2002-03-05 20:22 UTC
Document Revision: 23

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.