search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Weaknesses in the SSH protocol simplify brute-force attacks against passwords typed in an existing SSH session

Vulnerability Note VU#596827

Original Release Date: 2001-09-28 | Last Revised: 2001-12-14

Overview

There is a vulnerability in the SSH protocol that can simplify brute force attacks against passwords typed within an existing SSH session.

Description

Researchers at the University of California at Berkeley have determined that by monitoring the delays between SSH packets transmitted across the network, it is possible to make educated guesses about the keystrokes typed by the user. This vulnerability relies primarily upon the fact that in interactive SSH sessions, each keystroke made by the user causes the SSH client to transmit one IP packet to the SSH server. Similarly, as the remote server echoes the typed characters back to the user, the SSH server sends individual IP packets back to the SSH client.

This behavior (which is common to many terminal programs) creates identifiable patterns in the packet data that yield information about the user's activities. For example, as described in the Berkeley paper, if a system administrator logs into a remote Unix system and types the su command to become the superuser, the process will look similar to this:

sysadmin@hostname % su
Password:
root@hostname #

Since this conversation takes place over an interactive terminal session, "sysadmin@hostname % " will be transmitted as group of characters (most likely in a single data packet), each character in "su" will result in two data packets (one keystroke and one echo), and "Password: " will be transmitted as a single data packet. Then, as the user types the root password, each character typed will result in a single data packet, but an echo will not be sent. This lack of an echo response is trivial to detect within a captured data stream and as a result, the attacker will know exactly which keystrokes (and how many) represent the system's root password. Then, by using the technique documented in the Berkeley paper, it is possible to analyze the delays between each keystroke of the password to simplify a brute-force attack against it.

This vulnerability has some noteworthy limitations that warrant mention

    • The attacker needs accurate timing information for the victim's session, which means that this technique may prove to be fruitless when conducted over a high-latency network connection with many simultaneous sessions present.
    • Successful exploitation of this vulnerability does not yield a usable password, it merely simplifies a brute force attack. Such attacks (even when simplified) will still take a significant amount of time and will be easily detectable by observant victims.
    • At present, this technique has only been demonstrated with short sequences of keystrokes produced by touch typists with repeatable typing styles.

In addition to these limitations, there are a few other factors to consider when judging the severity of this vulnerability. First, this vulnerability does not rely upon a cryptographic flaw; it is based upon a statistical analysis of network traffic that is independent of cipher or SSH protocol version. Second, it is easy to misinterpret this vulnerability as a weakness in the initial SSH login authentication and to conclude that using strong SSH authentication (e.g. RSA) is a defense against this problem. In fact, the initial authentication method is irrelevant. This technique analyzes traffic generated after the initial authentication, and passwords are just one possible type of data that could be analyzed and exposed.

Impact

This vulnerability reduces the number of guesses needed to perform brute-force attacks against passwords typed in an existing SSH session.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Mask echo behavior in terminal programs


This technique is dependent upon the previously mentioned echo behavior to identify password locations, so adding dummy echo characters to the password prompt (such as asterisks) would present a significant challenge to attackers.

Vendor Information

596827
 
Affected   Unknown   Unaffected

Apple

Updated:  November 05, 2001

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

To address this vulnerability, Apple has updated OS X to include OpenSSH 2.9p2. For further information, please visit

Cisco

Updated:  September 28, 2001

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Cisco has published an advisory regarding this issue; for more information, please visit

Conectiva

Updated:  December 14, 2001

Status

  Vulnerable

Vendor Statement

Conectiva Linux has released Security Announcement CLA-2001:391 regarding this vulnerability. For more information, please see

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F-Secure

Updated:  November 05, 2001

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

F-Secure has released a public statment regarding this vulnerability; for more information, please visit

Immunix

Updated:  December 14, 2001

Status

  Vulnerable

Vendor Statement

Immunix has released Security Advisory IMNX-2001-70-009-01 to address this vulnerability. For more information, please see

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Updated:  December 13, 2001

Status

  Vulnerable

Vendor Statement

MandrakeSoft has released Security Advisory MDKSA-2001-033-2 to address this issue. For more information, please see

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat

Updated:  December 14, 2001

Status

  Vulnerable

Vendor Statement

Red Hat has released RHSA-2001:033-04 to address this issue. For more information, please see

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SSH Communications Security

Updated:  November 05, 2001

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SSH Communications has released a public statment regarding this vulnerability; for more information, please visit

Trustix

Updated:  December 14, 2001

Status

  Vulnerable

Vendor Statement

Trustix Secure Linux has released Security Advisory #2001-0002 to address this issue. For more information, please see

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was discovered independently by Solar Designer and Dug Song of The Openwall Project as well as Dawn Xiaodong Song, David Wagner, and Xuqing Tian of the University of California at Berkeley; the CERT/CC thanks both parties for their research and analysis.

This document was written by Jeffrey Lanza.

Other Information

CVE IDs: None
Severity Metric: 5.77
Date Public: 2001-03-19
Date First Published: 2001-09-28
Date Last Updated: 2001-12-14 21:12 UTC
Document Revision: 41

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.