Bug 472068 (CVE-2008-5161)

Summary: CVE-2008-5161 OpenSSH: Plaintext Recovery Attack against CBC ciphers
Product: [Other] Security Response Reporter: Gilbert Sebenste <sebenste>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, mgrepl, mike.herrick, mmarcini, tmraz, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://isc.sans.org/diary.html?storyid=5366 , http://www.ssh.com/company/news/article/953/
Whiteboard: source=internet,reported=20081016,public=20081119,impact=low
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-06 12:41:39 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 502230    
Bug Blocks:    
Attachments:
Description Flags
CPNI Advisory (saved for posterity sake) none

Description Gilbert Sebenste 2008-11-18 11:08:54 EST
Description of problem: OpenSSH has a security flaw which,
if exploited, the attack can potentially allow an attacker to
recover up to 32 bits of plaintext from an arbitrary block of 
ciphertext from a connection secured using the SSH protocol in 
the standard configuration. If OpenSSH is used in the standard 
configuration, then the attacker's success probability for 
recovering 32 bits of plaintext is 2^{-18}. A variant of the 
attack against OpenSSH in the standard configuration recovers 14 
bits of plaintext with probability 2^{-14}. The success probability 
of the attack for other implementations of SSH is not known.

Article here: http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt

And 
Version-Release number of selected component (if applicable): 4.8p1 and earlier


How reproducible: Always


Steps to Reproduce:
1. See URLs for details.
2.
3.
  
Actual results: This is not supposed to happen...


Expected results: but it happens.


Additional info: Although this is a security-sensitive bug, it is now widely known, in part due to the info given on the SANS Internet Storm Center.
Comment 1 Gilbert Sebenste 2008-11-18 11:12:21 EST
(In reply to comment #0)

> Version-Release number of selected component (if applicable): 4.8p1 and earlier

That should read 4.7p1 and earlier, sorry for the typo.
Comment 2 Tomas Mraz 2008-11-18 12:27:28 EST
It is inherent weakness of the ssh2 protocol. You can overcome it by using only the aes ctr mode ciphers.
Comment 3 Gilbert Sebenste 2008-11-18 12:49:21 EST
Tomas,

Should I close this bug, then?
Comment 4 Josh Bressers 2008-11-20 08:11:18 EST
I'm moving this bug to the Security Response product for proper tracking.
Comment 5 Josh Bressers 2008-11-20 08:18:26 EST
Created attachment 324169 [details]
CPNI Advisory (saved for posterity sake)
Comment 6 Tomas Hoger 2008-11-21 08:48:59 EST
OpenSSH upstream advisory / statement regarding this issue:
  http://openssh.org/txt/cbc.adv
Comment 7 Tomas Hoger 2008-11-24 08:19:25 EST
OpenSSH upstream mitigation patch, reducing success probability to 2^-18:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.157;r2=1.158;f=h
Comment 8 Josh Bressers 2009-02-17 14:40:34 EST
After reviewing the upstream fix for this issue, Red Hat does not intent to address this flaw at this time.  A future update may address this issue.
Comment 9 Tomas Hoger 2009-02-26 09:26:06 EST
Upstream further extended the mitigations in version 5.2:
  http://openssh.com/txt/release-5.2

 * This release changes the default cipher order to prefer the AES CTR
   modes and the revised "arcfour256" mode to CBC mode ciphers that are
   susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".

Which refers to upstream commit:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/myproposal.h.diff?r1=1.22;r2=1.23;f=h


 * This release also adds countermeasures to mitigate CPNI-957037-style
   attacks against the SSH protocol's use of CBC-mode ciphers. Upon
   detection of an invalid packet length or Message Authentication
   Code, ssh/sshd will continue reading up to the maximum supported
   packet length rather than immediately terminating the connection.
   This eliminates most of the known differences in behaviour that
   leaked information about the plaintext of injected data which formed
   the basis of this attack. We believe that these attacks are rendered
   infeasible by these changes.

Which refers to upstream commits:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/cipher.c.diff?r1=1.81;r2=1.82;f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/cipher.h.diff?r1=1.36;r2=1.37;f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.158;r2=1.159;f=h
Comment 10 Tomas Mraz 2009-05-04 11:46:03 EDT
*** Bug 498957 has been marked as a duplicate of this bug. ***
Comment 11 errata-xmlrpc 2009-09-02 05:44:42 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1287 https://rhn.redhat.com/errata/RHSA-2009-1287.html
Comment 12 errata-xmlrpc 2009-09-02 08:09:50 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1287 https://rhn.redhat.com/errata/RHSA-2009-1287.html
Comment 13 Josh Bressers 2011-08-02 15:23:15 EDT
Statement:

This issue was addressed for Red Hat Enterprise Linux 5 by
https://rhn.redhat.com/errata/RHSA-2009-1287.html

After reviewing the upstream fix for this issue, Red Hat does not intend to address this flaw in Red Hat Enterprise Linux 4.