Vulnerability discovered in SSH specification
According to the UK-based Centre for the Protection of National Infrastructure (CPNI), an error in the secure shell protocol (SSH) specification can in rare cases be exploited to reconstruct part of the plain text. According to their description of the error, the standard OpenSSH configuration allows 32 bits of plain text to be recovered from arbitrary points within the cipher text. In order to carry out a successful attack, the attacker must be able to observe the reaction of an SSH connection to various error states and be able to induce these error situations. The probability of a successful attack is, however, only 2-18. SSH connections are also generally torn down by attempts of this type.
The CPNI does not give more precise details, but the attack is reported to be rendered ineffective by switching SSH from cipher-block chaining mode (CBC) to counter mode (CTR). Counter mode turns a block cipher into a stream cipher.
Although CPNI has only looked in detail at OpenSSH, it is assumed that all SSH implementations which conform to RFC 4251 will contain this vulnerability. SSH Communications Security has already released its own security advisory, in which it discusses the problem in its SSH Tectia clients and servers. An update should fix the vulnerability. Alternatively, the company recommends switching to either the CryptiCore or Arcfour (RC4) encryption algorithms, which do not use CBC.
- Plaintext Recovery Attack Against SSH, security advisory from CPNI
- Plaintext Recovery Attack Against SSH, security advisory from SSH Communications Security