=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN526
_____________________________________________________________________

DATE                      : 17/11/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running SSH implementations, OpenSSH,
                             SSH Tectia Client, SSH Tectia Server,
                             SSH Tectia ConnectSecure, SSH Tectia Connector.

======================================================================
http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
http://www.ssh.com/company/news/article/953/
______________________________________________________________________

CPNI Vulnerability Advisory SSH

Plaintext Recovery Attack Against SSH

Version Information
-------------------
Advisory Reference CPNI-957037
Release Date	   14/11/08
Last Revision	
Version Number	   1.0

Acknowledgement
---------------

This issue was reported by Martin Albrecht, Kenny Paterson and Gaven Watson
from the Information Security Group at Royal Holloway, University of London.

What is affected?
-----------------
The attack was verified against the following product version running on Debian GNU/Linux:

- OpenSSH 4.7p1

Other versions are also affected. Other implementations of the SSH
protocol may also be affected.

Impact
------

If exploited, this attack can potentially allow an attacker to
recover up to 32 bits of plaintext from an arbitrary block of
ciphertext from a connection secured using the SSH protocol in
the standard configuration. If OpenSSH is used in the standard
configuration, then the attacker's success probability for
recovering 32 bits of plaintext is 2^{-18}. A variant of the
attack against OpenSSH in the standard configuration recovers 14
bits of plaintext with probability 2^{-14}. The success probability
of the attack for other implementations of SSH is not known.

Severity
--------

The severity is considered to be potentially HIGH due to the
32 bits of plaintext that can be recovered. However, the
likelihood of a successful attack is considered LOW.


Summary
-------

Secure Shell or SSH is a network protocol that allows data to be
exchanged using a secure channel between two networked devices. A
design flaw in the SSH specification allows an attacker with control
over the network to recover up to 32 bits of plaintext from an
SSH-protected connection in the standard configuration. The success
probability in recovering 32 plaintext bits is 2^{-18} when attacking
the OpenSSH implementation of the SSH RFCs. A variant of the attack
against the OpenSSH implementation recovers 14 plaintext bits with
probability 2^{-14}. The recovered bits come from an arbitrary,
attacker-selected block of ciphertext. The success probabilities for
other implementations are unknown (but are potentially much higher).

Details
-------

The attack works by analysing the behaviour of the SSH connection
when handling certain types of errors.

The attack was tested against the OpenSSH implementation of the SSH
RFCs.

We expect any RFC-compliant SSH implementation to be vulnerable
to some form of the attack.

The attacks lead to the tear down of the SSH connection, meaning that
they cannot directly be iterated to increase the success probability.
However, the SSH architectural RFC (RFC 4251) states that the SSH
connection should be re-established in the event of errors. So, if
SSH were used to protect a fixed plaintext across multiple connections,
and connections were automatically re-established in compliance with RFC
4251, then the success probability could be increased.

Solution
--------

The most straightforward solution is to use CTR mode instead
of CBC mode, since this renders SSH resistant to the attack. An RFC
already exists to standardise counter mode for use in SSH (RFC 4344)
and AES in counter mode is supported by OpenSSH. A switch to AES in counter
mode could most easily be enforced by limiting which encryption
algorithms are offered during the ciphersuite negotiation that takes
place as part of the SSH key exchange (see RFC 4253, Section 7.1).


Vendor Information
------------------
Vendors have been advised. This section will be updated as more information
becomes available.

Credits
-------

CPNI  would like to thank Martin Albrecht, Kenny Paterson and
Gaven Watson from the Information Security Group at
Royal Holloway, University of London for reporting these issues.

Please visit http://www.isg.rhul.ac.uk for details about the
Information Security Group at Royal Holloway


Contact Information
-------------------
Centre for the Protection of National Infrastructure (CPNI).
Email: csirtuk@cpni.gsi.gov.uk

For sensitve information the CSIRTUK PGP key is available from:
http://www.cpni.gov.uk/key.aspx


What is CPNI?
--------------
For further information regarding the Centre for the Protection of
National Infrastructure, please visit http://www.cpni.gov.uk.

Reference to any specific commercial product, process, or service by
trade name, trademark manufacturer, or otherwise, does not constitute
or imply its endorsement, recommendation, or favouring by CPNI. The
views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.

Neither shall CPNI accept responsibility for any errors or omissions
contained within this advisory. In particular, they shall not be
liable for any loss or damage whatsoever, arising from or in
connection with the usage of information contained within this notice.

© 2008 Crown Copyright

_________________________________________________________________________

  November 14, 2008
Plaintext Recovery Attack Against SSH
CPNI Advisory Reference CPNI-957037
http://www.cpni.gov.uk/Products/3716.aspx

A security issue affecting also the SSH Tectia client/server solution has
been found. This issue can create a vulnerability in systems that have the
SSH Tectia Client or SSH Tectia Server package installed.

DESCRIPTION

The attacker that is able to listen to an encrypted Secure Shell (SSH)
connection and actively steal the network connection (TCP) can in some
situations obtain up to 4 bytes of cleartext data from the session. The
attack attempt causes the attacked connection to be disconnected immediately.
The attack works only against protocol sessions that are encrypted using a
block cipher algorithm in the cipher-block chaining (CBC) mode. Exploiting
this vulnerability is very difficult.

AFFECTED PRODUCTS


    * SSH Tectia Client and Server and ConnectSecure 6.0.4 and older in the 6.x series
    * SSH Tectia Client and Server and Connector 5.3.8 and older in the 5.3.x series
    * SSH Tectia Client and Server and Connector 5.2.4 and older in the 5.x series
    * SSH Tectia Client and Server and Connector 4.4.11 and older in the 4.x series
    * SSH Tectia Server for Linux on IBM System z 6.0.4
    * SSH Tectia Server for IBM z/OS 6.0.1 and 6.0.0
    * SSH Tectia Server for IBM z/OS 5.5.1 and older
    * SSH Tectia Client 4.3.3-J (Japanese) and older in the 4.x-J series
    * SSH Tectia Client 4.3.10-K (Korean) and older in the 4.x-K series


PRODUCTS NOT AFFECTED


    * SSH Tectia Client and Server and ConnectSecure 6.0.5
    * SSH Tectia Client and Server and Connector 5.3.9
    * SSH Tectia Client and Server and Connector 5.2.5
    * SSH Tectia Client and Server and Connector 4.4.12
    * SSH Tectia Server for Linux on IBM System z 6.0.5
    * SSH Tectia Server for IBM z/OS 6.0.2
    * SSH Tectia Server for IBM z/OS 5.5.2
    * SSH Tectia Client 4.3.4-J (Japanese)


FIX / WORK-AROUND

An immediate workaround is to refrain from using CBC mode block
ciphers in Secure Shell (SSH) sessions. In practice this is achievable
with the SSH Tectia products by utilizing either CryptiCore or Arcfour
encryption algorithms.

We recommend that you also update your system to an SSH Tectia
client/server solution version which is not vulnerable. Once the
update has been made, you can safely use the product again.

UPDATING SSH TECTIA CLIENT AND SSH TECTIA SERVER

If you are a currently active Maintenance Customer, you can download
the installation packages from SSH Customer Download Center at
https://downloads.ssh.com.
The products provided here include valid license files.

If you are not a currently active Maintenance Customer, you can
reinstate your Maintenance by contacting your SSH Sales office.
Go to http://www.ssh.com for contact info. Or you can buy a not
vulnerable version of the relevant SSH Tectia product at
http://www.ssh.com/buy/online/

SSH Communications Security apologizes for any inconvenience that
this vulnerability may have caused. We take security of the systems
of our customers very seriously and do our utmost to provide secure
software with minimum defects. We strongly urge all customers to
consider the implications of this vulnerability carefully and to
make an educated decision on actions.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================