Bugtraq mailing list archives
Re: SSH1 vulnerability ?
From: Tatu Ylonen <ylo () SSH COM>
Date: Sat, 10 Feb 2001 15:08:11 +0200
On Fri, 9 Feb 2001, Christophe Dupre wrote (on the ssh () client fi list):
I just read Razor's vulnerability advisory, as reported on slashdot. Any truth to it, or is it another wannabe ?
I suppose you are referring to this one:
"Bindview released an advisory yesterday warning us that "[a]n integer-overflow problem is present in common code of recent ssh daemons, deattack.c, which was developed by CORE SDI to protect against cryptographic attacks on SSH protocol. [...] This effectively allows an attacker to overwrite arbitrary portions of memory"
SSH2 is not vulnerable to this issue at all. Thus, if you are using ssh-2.4.0, or any earlier version of SSH2, you are safe. The vulnerability only affects the SSH1 protocol. The bug in the deattack code is probably genuine, and looks like a coding bug (16 bit int used instead of 32 bit int). We have also committed a fix to the SSH1 source tree (which is still used by many to implement compatibility with the old SSH1 protocol during the transition to SSH2 - see http://www.ssh.com/products/ssh/ssh2-ssh1-server-howto.html for information on how to transition to SSH2 while still maintaining compatibility with existing SSH1 clients). The whole CRC32 vulnerability is once again a manifestation of certain fundamental problems in the SSH1 key exchange and message authentication mechanism. The SSH2 protocol was created to fix these (and other) problems. The old SSH1 protocol is deprecated, and people are strongly urged to move to using the SSH2 protocol. The effect of this particular vulnerability is that it may allow a highly advanced attacker to insert commands into an SSH1 session using an active network-level attack together with a cryptographic attack. I consider this something that needs to be fixed (the real fix is to move to SSH2), but it is not an immediate threat. BTW, some cryptographers that I know have been speculating whether it would be possible to construct attack patterns that would get around the CRC32 deattack mechanism entirely. The original CRC32 attack works obtaining some known plaintext-ciphertext pairs, and constructing a special pattern that defeats the CRC32 that was used as MAC in SSH1. The deattack code detects the particular pattern used to defeat the CRC32 check. However, some people are speculating that there may be other patterns (e.g. involving more known plaintext-ciphertext pairs) that would also compensate for CRC32 but would not be detected by the deattack code. I cannot confirm whether this is the case, but I personally do not fully trust that the deattack code will be able to prevent all variations of the attack (even without the bug in the deattack code). The real fix is to move to using the SSH2 protocol. Ssh-2.4.0 is available from www.ssh.com (or ftp://ftp.ssh.com/pub/ssh), and is completely free for any use on Linux, FreeBSD, NetBSD, and OpenBSD, as well as for use by universities and charity organizations, and for personal hobby/recreational use by individuals. Tatu -- SSH Communications Security http://www.ssh.com/ SSH IPSEC Toolkit http://www.ipsec.com/ SSH(R) Secure Shell(TM) http://www.ssh.com/products/ssh
Current thread:
- Re: SSH1 vulnerability ? Tatu Ylonen (Feb 10)
- Re: SSH1 vulnerability ? Peter van Dijk (Feb 12)
- <Possible follow-ups>
- Re: SSH1 vulnerability ? Markus Friedl (Feb 12)
- Re: SSH1 vulnerability ? Frank Cusack (Feb 14)