FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

libssh -- weak Diffie-Hellman secret generation

Affected packages
libssh < 0.7.3

Details

VuXML ID 6b3591ea-e2d2-11e5-a6be-5453ed2e2b49
Discovery 2016-02-23
Entry 2016-03-05

Andreas Schneider reports:

libssh versions 0.1 and above have a bits/bytes confusion bug and generate an abnormally short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. The resulting secret is 128 bits long, instead of the recommended sizes of 1024 and 2048 bits respectively. There are practical algorithms (Baby steps/Giant steps, Pollard’s rho) that can solve this problem in O(2^63) operations.

Both client and server are are vulnerable, pre-authentication. This vulnerability could be exploited by an eavesdropper with enough resources to decrypt or intercept SSH sessions. The bug was found during an internal code review by Aris Adamantiadis of the libssh team.

References

CVE Name CVE-2016-0739
URL https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0739
URL https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/