Re: Probable SSH Vulnerability
On Fri, 13 Jun 2003 17:52:21 -0400, Tim Peeler wrote:
>On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote:
>>
>> On Fri, 13 Jun 2003 14:18:44 -0400
>> Tim Peeler <thp@linux00.LinuxForce.net> wrote:
>> > In the last 4-5 days we have had 8 servers come under attack. We are
>> > working frantically to keep ahead of these attacks. We have come to the
>> > conclusion that the SSH in woody is likely vulnerable.
[...]
>> > We have not had time
>> > to analyze where the exploit occurs in sshd, but we are very confident
>> > that this is the location of the exploit. We have begun upgrading to
>> > a backport of the testing version of ssh which appears to be helping.
>>
>> Could you provide your /etc/ssh/sshd_config, the version of your "ssh"
>> package, and the output from 'debsums ssh'? Thanks.
>>
>
>sshd_config for comprimized server attached, as well as the output of
>debsums ssh
>
>SSH Version: 3.4p1-1
[snip]
From your sshd_config :
> Protocol 2,1
Um, aren't there known *unfixable* problems with the SSH1 protocol ?
http://www.cert.org/advisories/CA-2001-35.html
http://list.cobalt.com/pipermail/cobalt-security/2001-November/003857.html
http://groups.google.com/groups?q=ssh1+unfixable&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=m1lsmv0faft.fsf%40syrinx.oankali.net&rnum=1
http://groups.google.com/groups?q=ssh1+deprecated&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=Pine.LNX.4.10.10102101444180.22997-100000%40mystery.acr.fi&rnum=1
I may be wrong (not expert, etc) but I'm under the impression that
SSH1 is unfixably broken and should not now be used - certainly we
only have protocol 2 listed in all our server configs.
Having protocol 1 second in the list doesn't stop a client from
insisting on using it.
Tatu Ylonen says in the 4th reference above :
"The whole CRC32 vulnerability is once again a
manifestation of certain fundamental problems
in the SSH1 key exchange and message authentication
mechanism. The SSH2 protocol was created to fix
these (and other) problems. The old SSH1 protocol
is deprecated, and people are strongly urged to
move to using the SSH2 protocol.
.. some cryptographers that I know have been
speculating whether it would be possible to
construct attack patterns that would get around
the CRC32 deattack mechanism entirely. The
original CRC32 attack works obtaining some known
plaintext-ciphertext pairs, and constructing a
special pattern that defeats the CRC32 that was
used as MAC in SSH1. The deattack code detects
the particular pattern used to defeat the CRC32
check. However, some people are speculating
that there may be other patterns (e.g.
involving more known plaintext-ciphertext pairs)
that would also compensate for CRC32 but would
not be detected by the deattack code.
I cannot confirm whether this is the case, but
I personally do not fully trust that the
deattack code will be able to prevent all
variations of the attack (even without the
bug in the deattack code). The real fix is to
move to using the SSH2 protocol."
My 2p, etc. You probably already know all this.
Do you *have* to have SSH1 enabled ?
(Sorry if this is all off-target)
Good luck
Nick Boyce
Bristol, UK
Reply to: