SSH plaintext recovery vulnerability

Please consider subscribing to LWN

Subscriptions are the lifeblood of LWN.net. If you appreciate this content and would like to see more of it, your subscription will help to ensure that LWN continues to thrive. Please visit this page to join up and keep LWN on the net.

By Jake Edge
November 19, 2008

A somewhat mysterious SSH vulnerability has been reported in a way that unfortunately looks a bit like partial disclosure. In this case, though, there is a workaround that is supposed to alleviate the problem, so there are good reasons—as opposed to publicity-oriented reasons—to announce the flaw. While it is difficult to exploit, it does expose up to 32-bits of plaintext from within an SSH session which is a failure mode that is rather worrisome.

The flaw has only been confirmed in OpenSSH 4.7p1, but the announcement indicates that it is likely to be much more widespread: "We expect any RFC-compliant SSH implementation to be vulnerable to some form of the attack." The flaw is in the design of SSH and can allow an attacker who has "control over the network"—presumably the ability to monitor and inject traffic—to recover 32 plaintext bits with a very low probability (2^-18). The bits recovered come from an attacker-selected block of ciphertext. The attack leads to the termination of the SSH connection, so iterative attacks will be difficult or impossible.

It is hard to get too worked up about that kind of attack, even with much of the details lacking, but typically these kinds of flaws can be expanded in various ways. The announcement mentions variants that recover 14 bits with a probability of 2^-14. It also carries the following warning: "The success probabilities for other implementations are unknown (but are potentially much higher)." It is a security tautology that vulnerabilities only get bigger over time, which we have seen in various contexts, notably in DNS cache poisoning flaws over the years.

Another bit of information provided by the Centre for the Protection of National Infrastructure (CPNI), the UK government agency who issued the advisory, is that the attack analyzes "the behaviour of the SSH connection when handling certain types of errors". This particular attack is also only applicable to the default cipher-block chaining (CBC) mode, so switching to counter (CTR) mode works around the flaw.

OpenSSH supports the use of AES in CTR mode, which is what the advisory recommends using:

A switch to AES in counter mode could most easily be enforced by limiting which encryption algorithms are offered during the ciphersuite negotiation that takes place as part of the SSH key exchange (see RFC 4253, Section 7.1).

There is quite a bit of information in the advisory that might lead a determined attacker in the "right" direction. It might also provide enough for someone to come up with attacks that are more probable and/or reveal more plaintext. So far, the Internet Storm Center is reporting that they have not seen any evidence that the flaw is being exploited in the wild.

OpenSSH has not, as yet, addressed the issue, at least on their security page. At least in its current form, there is probably very little to worry about from this flaw, but very security-conscious SSH users will want to apply the workaround.

Index entries for this article
Security	OpenSSH

(Log in to post comments)

So how to protect myself ?

Posted Nov 20, 2008 10:28 UTC (Thu) by addw (guest, #1771) [Link]

This is supposed to be easy, if I was paranoid would I add something like the following to /etc/ssh/sshd_config :

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

What about things like: arcfour128,arcfour256,arcfour ?

So how to protect myself ?

Posted Nov 20, 2008 21:24 UTC (Thu) by jengelh (subscriber, #33263) [Link]

This is paranoia. Or just good sense. I have not yet come across an SSH implementation that does not do AES-256-CTR, and should I, I'd replace it with something that does. putty, openssh, you name it.

# grep Ciphers sshd_config
Ciphers aes256-ctr

So how to protect myself ?

Posted Nov 21, 2008 16:08 UTC (Fri) by drag (guest, #31333) [Link]

The AES 256 stuff is what I always use for internet connections.

What point is there in using anything else, really?

For my local Lan typically I'll disable compression and use arcfour.

So how to protect myself ?

Posted Nov 27, 2008 18:43 UTC (Thu) by mikachu (guest, #5333) [Link]

I'm even more paranoid; I assume -cbc is the default for a reason, what are its advantages over -ctr?

So how to protect myself ?

Posted Nov 27, 2008 22:44 UTC (Thu) by kasperd (guest, #11842) [Link]

AFAIK CBC is older and more widely supported than CTR. But CTR is not that complicated, so I'd expect all major implementations to support it.

Supposedly CTR is more secure (for reasons that may be completely unrelated to this vulnerability). But CTR is only more secure if your IV is generated properly. If you were for whatever reason going to reuse an IV, it would weaken CTR a lot more than it would to CBC. However since the symmetric keys are just session keys, such a vulnerability is highly unlikely to exist in ssh. The risk of improper use of IVs for CTR is more of an issue when you have long lived symmetric keys (storage encryption).

I am still not convinced that there even is a vulnerability in ssh. Given the information made available so far, the whole thing could be a canard.

So how to protect myself ?

Posted Nov 23, 2008 22:04 UTC (Sun) by djm (subscriber, #11651) [Link]

The arcfour* ciphers are not vulnerable - the attack works against CBC ciphers only. If you are using arcfour, then use arcfour256 instead - it is no slower and a but more secure.

UK govt not completely tech idiots after all

Posted Nov 20, 2008 11:08 UTC (Thu) by rwmj (subscriber, #5474) [Link]

I think the most interesting point about this article is that there exists a UK government run agency for protecting infrastructure that seems to actually have a clue.

UK govt not completely tech idiots after all

Posted Nov 21, 2008 17:43 UTC (Fri) by Tet (subscriber, #5433) [Link]

there exists a UK government run agency for protecting infrastructure that seems to actually have a clue.

From the OpenSSH security advisory:

Unfortunately, due to the report lacking any detailed technical description of the attack and CPNI's unwillingness to share necessary information, we are unable to properly assess its impact.

Not telling the world at large the intimate details of the vulnerability is one thing, but not sharing them with those who wrote the code and would like to fix it? Bizarre. I think I'd only go as far as them having half a clue.

UK govt not completely tech idiots after all

Posted Nov 21, 2008 19:34 UTC (Fri) by lysse (guest, #3190) [Link]

I fear that's down to bureaucratic idiocy, rather than technical idiocy. The UK remain a world leader in that department; we never saw a list of rules we didn't want to apply right down to the tiniest little letter.

SSH plaintext recovery vulnerability

Posted Nov 20, 2008 21:23 UTC (Thu) by liljencrantz (guest, #28458) [Link]

Recovering 14 bits of data with the probability of 2^-14 should be exactly the same as guessing 14 bits at random, no? Perhaps one of the numbers here are of a bit?

SSH plaintext recovery vulnerability

Posted Nov 21, 2008 13:00 UTC (Fri) by jbh (guest, #494) [Link]

The difference is in the knowledge that the guess is right. Guessing 14 bits has a probability of 2^-14, but unless there's a weakness you have to brute-force the other 50 bits *for each guess* to find out if your guess is right. So recovering 14 bits is 2^64 units of work. (I'm assuming 64 bit key length.)

If on the other hand you can recover 14 bits in 2^14 units of work, you can crack the key in 2^50+2^14 steps, considerably lower than 2^64.

SSH plaintext recovery vulnerability

Posted Nov 21, 2008 23:32 UTC (Fri) by djm (subscriber, #11651) [Link]

Yes, the attack relies on the protocol's error behaviour to provide an "oracle" that verifies the guesses. However, this can't directly be used to recover keys - "just" plaintext that is sent over the SSH connection.