CPNI Vulnerability Advisory SSH Plaintext Recovery Attack Against SSH Version Information ------------------- Advisory Reference CPNI-957037 Release Date 14/11/08 Last Revision 17/11/08 Version Number 2.0 - Changes to Impact and Summary sections. Version History added. Vendor details added Version History Acknowledgement --------------- This issue was reported by Martin Albrecht, Kenny Paterson and Gaven Watson from the Information Security Group at Royal Holloway, University of London. What is affected? ----------------- The attack was verified against the following product version running on Debian GNU/Linux: - OpenSSH 4.7p1 Other versions are also affected. Other implementations of the SSH protocol may also be affected. Impact ------ If exploited, this attack can potentially allow an attacker to recover up to 32 bits of plaintext from an arbitrary block of ciphertext from a connection secured using the SSH protocol in the standard configuration. If OpenSSH is used in the standard configuration, then the attacker's success probability for recovering 32 bits of plaintext is 2^{-18}. A variant of the attack against OpenSSH in the standard configuration can verifiably recover 14 bits of plaintext with probability 2^{-14}. The success probability of the attack for other implementations of SSH is not known. Severity -------- The severity is considered to be potentially HIGH due to the 32 bits of plaintext that can be recovered. However, the likelihood of a successful attack is considered LOW. Summary ------- Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. A design flaw in the SSH specification allows an attacker with control over the network to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. The success probability in recovering 32 plaintext bits is 2^{-18} when attacking the OpenSSH implementation of the SSH RFCs. A variant of the attack against the OpenSSH implementation verifiably recovers 14 plaintext bits with probability 2^{-14}. The recovered bits come from an arbitrary, attacker-selected block of ciphertext. The success probabilities for other implementations are unknown (but are potentially much higher). Details ------- The attack works by analysing the behaviour of the SSH connection when handling certain types of errors. The attack was tested against the OpenSSH implementation of the SSH RFCs. We expect any RFC-compliant SSH implementation to be vulnerable to some form of the attack. The attacks lead to the tear down of the SSH connection, meaning that they cannot directly be iterated to increase the success probability. However, the SSH architectural RFC (RFC 4251) states that the SSH connection should be re-established in the event of errors. So, if SSH were used to protect a fixed plaintext across multiple connections, and connections were automatically re-established in compliance with RFC 4251, then the success probability could be increased. Solution -------- The most straightforward solution is to use CTR mode instead of CBC mode, since this renders SSH resistant to the attack. An RFC already exists to standardise counter mode for use in SSH (RFC 4344) and AES in counter mode is supported by OpenSSH. A switch to AES in counter mode could most easily be enforced by limiting which encryption algorithms are offered during the ciphersuite negotiation that takes place as part of the SSH key exchange (see RFC 4253, Section 7.1). Vendor Information ------------------ Buffalo not vulnerable SSH Communications Security has released the following advisory on its website. http://www.ssh.com/company/news/article/953/ Credits ------- CPNI would like to thank Martin Albrecht, Kenny Paterson and Gaven Watson from the Information Security Group at Royal Holloway, University of London for reporting these issues. Please visit http://www.isg.rhul.ac.uk for details about the Information Security Group at Royal Holloway Contact Information ------------------- Centre for the Protection of National Infrastructure (CPNI). Email: csirtuk@cpni.gsi.gov.uk For sensitve information the CSIRTUK PGP key is available from: http://www.cpni.gov.uk/key.aspx What is CPNI? -------------- For further information regarding the Centre for the Protection of National Infrastructure, please visit http://www.cpni.gov.uk. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither shall CPNI accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. © 2008 Crown Copyright