search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Certain implementations of SSH1 may reveal internal cryptologic state

Vulnerability Note VU#161576

Original Release Date: 2002-07-31 | Last Revised: 2002-07-31

Overview

An implementation problem in at least one Secure Shell (SSH) product and a weakness in the PKCS#1_1.5 public key encryption standard allows attackers to recover plaintext of messages encrypted with SSH.

Description

A weakness in some SSH products using the SSH1 protocol may allow an attacker to determine internal cryptologic states. Combined with a weakness in the PKCS#1_1.5 public key encryption standard, used by SSH protocol 1.5, this vulnerability may be exploited to recover arbitrary session keys used for symmetric encryption in SSH connections. It has been reported that these vulnerabilities are relatively difficult to exploit.

Impact

An attacker may recover an SSH connection's session key and decrypt all communications from the connection.

Solution

Apply a patch available from your vendor

This vulnerability was first reported and patched in early 2001.

Reduce potential exposure

Disable all variants of SSH protocols 1.5 and older on the server.

Vendor Information

161576
 
Expand all

OpenSSH Affected

Notified:  December 09, 2001 Updated: June 07, 2002

Status

Affected

Vendor Statement

Markus Friedl of OpenSSH writes:

"OpenSSH-2.2.0 and later fix this problem by imposing a limit to the numbers of allowed connections. Versions earlier than 2.3.0 should not be used, because the suffer the CRC32 bug.

"Later versions of OpenSSH (2.5.* and later) add additional countermeasures (like not calling fatal() on RSA operation failures and adding random cookies for each new generated server key, see the source for defails)."

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SSH Communications Security Unknown

Notified:  December 09, 2001 Updated: June 12, 2002

Status

Unknown

Vendor Statement

Tatu Ylonen of SSH Communications Security writes:

"SSH1 has been officially deprecated for some time now. I strongly urge all users to switch to the latest SSH Secure Shell (or generally to the version 2 of the Secure Shell protocol). The version 1.x protocol suffers from many security problems.

"I do, however, have reason to believe that the issue reported here may be a fluke. There was discussion about the Bleisenbacher attack against SSH1 some years ago (after the attack became public), and the general conclusion at that time was that it didn't affect Secure Shell. The session key in SSH1 is encrypted TWICE, once by the server key, and once by the host key. To decrypt the session key, one would need to be able to determine BOTH the server key and the host key. I am not aware of a variant of the Bleisenbacher attack that would do this....

"As a fix, I would add upgrading to the lastest version (ssh-3.1.2, or ssh-1.2.33 if one insists on using the deprecated 1.x protocol)."

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to CORE SDI for reporting this vulnerability and to Markus Friedl and Tatu Ylonen for their helpful clarifications.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: CVE-2001-0361
Severity Metric: 6.48
Date Public: 2001-02-13
Date First Published: 2002-07-31
Date Last Updated: 2002-07-31 23:01 UTC
Document Revision: 20

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis