A design flaw in the SSH-1 protocol allows a malicious server to establish two concurrent sessions with the same session ID, allowing a man-in-the-middle attack. The client must accept unknown host keys from the malicious server to enable exploitation of this vulnerability.
SSH-1 authentication relies on the uniqueness of each SSH server's public host key. This key and a corresponding private key are computed by each server for its own use. Since there is a pseudorandom element in the computation of the keys, it is extremely unlikely that two servers would compute the same key pair.
Servers share their public keys with other hosts, so a server could steal another server's public host key. However, if a server used another server's public host key as its own, it would also need the corresponding private key to decrypt messages from its clients. The private key is not shared and is very difficult to compute from the public host key alone.
Attackers can obtain victim user priviledges on other hosts running an SSH-1 server.
Upgrade to SSH-2, which is not vulnerable to this attack.
When using SSH-1, be careful when accepting unknown server keys for SSH connections. Clients should not attempt to start an SSH-1 connection with encryption disabled. Servers should refuse SSH-1 connection requests which have encryption disabled.
The CERT/CC would like to thank Antti Huima, Tuomas Aura, and Janne Salmi for their analysis and Tatu Ylonen for bringing this vulnerability to our attention.
This document was written by Jeffrey P. Lanza and Shawn Van Ittersum.
|Date First Published:||2000-11-07|
|Date Last Updated:||2001-10-29 15:52 UTC|