Bug 472068 (CVE-2008-5161) - CVE-2008-5161 OpenSSH: Plaintext Recovery Attack against CBC ciphers
Summary: CVE-2008-5161 OpenSSH: Plaintext Recovery Attack against CBC ciphers
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-5161
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://isc.sans.org/diary.html?storyi...
Whiteboard:
: 498957 (view as bug list)
Depends On: 502230
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-11-18 16:08 UTC by Gilbert Sebenste
Modified: 2019-09-29 12:27 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-06 17:41:39 UTC


Attachments (Terms of Use)
CPNI Advisory (saved for posterity sake) (5.12 KB, text/plain)
2008-11-20 13:18 UTC, Josh Bressers
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1287 normal SHIPPED_LIVE Low: openssh security, bug fix, and enhancement update 2009-09-01 09:55:07 UTC

Description Gilbert Sebenste 2008-11-18 16:08:54 UTC
Description of problem: OpenSSH has a security flaw which,
if exploited, the attack can potentially allow an attacker to
recover up to 32 bits of plaintext from an arbitrary block of 
ciphertext from a connection secured using the SSH protocol in 
the standard configuration. If OpenSSH is used in the standard 
configuration, then the attacker's success probability for 
recovering 32 bits of plaintext is 2^{-18}. A variant of the 
attack against OpenSSH in the standard configuration recovers 14 
bits of plaintext with probability 2^{-14}. The success probability 
of the attack for other implementations of SSH is not known.

Article here: http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt

And 
Version-Release number of selected component (if applicable): 4.8p1 and earlier


How reproducible: Always


Steps to Reproduce:
1. See URLs for details.
2.
3.
  
Actual results: This is not supposed to happen...


Expected results: but it happens.


Additional info: Although this is a security-sensitive bug, it is now widely known, in part due to the info given on the SANS Internet Storm Center.

Comment 1 Gilbert Sebenste 2008-11-18 16:12:21 UTC
(In reply to comment #0)

> Version-Release number of selected component (if applicable): 4.8p1 and earlier

That should read 4.7p1 and earlier, sorry for the typo.

Comment 2 Tomas Mraz 2008-11-18 17:27:28 UTC
It is inherent weakness of the ssh2 protocol. You can overcome it by using only the aes ctr mode ciphers.

Comment 3 Gilbert Sebenste 2008-11-18 17:49:21 UTC
Tomas,

Should I close this bug, then?

Comment 4 Josh Bressers 2008-11-20 13:11:18 UTC
I'm moving this bug to the Security Response product for proper tracking.

Comment 5 Josh Bressers 2008-11-20 13:18:26 UTC
Created attachment 324169 [details]
CPNI Advisory (saved for posterity sake)

Comment 6 Tomas Hoger 2008-11-21 13:48:59 UTC
OpenSSH upstream advisory / statement regarding this issue:
  http://openssh.org/txt/cbc.adv

Comment 7 Tomas Hoger 2008-11-24 13:19:25 UTC
OpenSSH upstream mitigation patch, reducing success probability to 2^-18:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.157;r2=1.158;f=h

Comment 8 Josh Bressers 2009-02-17 19:40:34 UTC
After reviewing the upstream fix for this issue, Red Hat does not intent to address this flaw at this time.  A future update may address this issue.

Comment 9 Tomas Hoger 2009-02-26 14:26:06 UTC
Upstream further extended the mitigations in version 5.2:
  http://openssh.com/txt/release-5.2

 * This release changes the default cipher order to prefer the AES CTR
   modes and the revised "arcfour256" mode to CBC mode ciphers that are
   susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".

Which refers to upstream commit:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/myproposal.h.diff?r1=1.22;r2=1.23;f=h


 * This release also adds countermeasures to mitigate CPNI-957037-style
   attacks against the SSH protocol's use of CBC-mode ciphers. Upon
   detection of an invalid packet length or Message Authentication
   Code, ssh/sshd will continue reading up to the maximum supported
   packet length rather than immediately terminating the connection.
   This eliminates most of the known differences in behaviour that
   leaked information about the plaintext of injected data which formed
   the basis of this attack. We believe that these attacks are rendered
   infeasible by these changes.

Which refers to upstream commits:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/cipher.c.diff?r1=1.81;r2=1.82;f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/cipher.h.diff?r1=1.36;r2=1.37;f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.158;r2=1.159;f=h

Comment 10 Tomas Mraz 2009-05-04 15:46:03 UTC
*** Bug 498957 has been marked as a duplicate of this bug. ***

Comment 11 errata-xmlrpc 2009-09-02 09:44:42 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1287 https://rhn.redhat.com/errata/RHSA-2009-1287.html

Comment 12 errata-xmlrpc 2009-09-02 12:09:50 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1287 https://rhn.redhat.com/errata/RHSA-2009-1287.html

Comment 13 Josh Bressers 2011-08-02 19:23:15 UTC
Statement:

This issue was addressed for Red Hat Enterprise Linux 5 by
https://rhn.redhat.com/errata/RHSA-2009-1287.html

After reviewing the upstream fix for this issue, Red Hat does not intend to address this flaw in Red Hat Enterprise Linux 4.


Note You need to log in before you can comment on or make changes to this bug.