
Targeted MitM attacks using information leakage in SSH clients [pdf] - based2
https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf
======
zokier
According to the report, this also applies to OpenSSH client

~~~
dang
Yes. The versions are OpenSSH 5.7 - 8.3, PuTTY 0.68 - 0.73.

We've changed the URL from
[https://nvd.nist.gov/vuln/detail/CVE-2020-14002](https://nvd.nist.gov/vuln/detail/CVE-2020-14002)
to what seems to be the original source, via
[https://www.fzi.de/en/news/news/detail-
en/artikel/fsa-2020-2...](https://www.fzi.de/en/news/news/detail-
en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-
angriffe-auf-ssh-clients/), which the former article links to.

The comments in this thread are all about PuTTY, which no doubt is because
that's all the other article mentioned.

------
based2
[https://www.chiark.greenend.org.uk/~sgtatham/putty/](https://www.chiark.greenend.org.uk/~sgtatham/putty/)
2020-06-27 PuTTY 0.74 released

------
noble_pleb
An alternative to putty on windows is to get the entire Git SCM package[1].
You get not just git, ssh and sftp but many other useful command line tools
too.

[1]: [https://git-scm.com/](https://git-scm.com/)

~~~
AnssiH
Note also that ssh and scp (from OpenSSH) are included in Windows by default
since 2018.

------
DangerousPie
I'm surprised people are still using PuTTY this much. It used to be one of the
first programs I'd install on any new Windows machine and has served me well
for many years. But since I started using WSL I haven't needed it once.

~~~
badrabbit
You don't need WSL. Windows10 supports OpenSSH

~~~
asveikau
I also use the win10 openssh. Sometimes it is not so great at terminal
emulation in a way that a Unix environment will expect. For example I get
frequent weird behaviors running vi. Maybe could be fixed with TERM or termcap
but putty "just works".

Also I haven't seemed to be able to get ssh-agent working there. Maybe just
need to look into it more.

~~~
btschaegg
On the agent thing: I don't know about the OpenSSH agent, but I have KeeAgent
set up and it works without a hitch in MSYS (and thus Git Bash) as well as
with the SSH port of Microsoft.

------
badrabbit
The EU has a $90k bounty for bugs in putty,did anyone collect on this?

------
jlgaddis
It's a good idea to explicitly set the "Ciphers", "HostKeyAlgorithms",
"KexAlgorithms", and "MACs" options to your preferred values (in your
ssh_config and sshd_config files) anyways... but, as a bonus, the issue
doesn't affect you if you have (according to the document).

~~~
floatingatoll
If you set these options yourself rather than depending on your upstream
distro defaults, be prepared to experience surprising and unexpected
incompatibilities with SSH; by making your own choices, you are accepting
additional responsibilities for debugging compatibility issues that will
arise. When you encounter issues with anything SSH-related, be sure you've
checked your SSH client/server in verbose mode to verify that it is not a
PEBCAK issue _before_ seeking technical support from others, and be sure to
_include_ your custom values for those options when reporting SSH issues to
others so that everyone doesn't waste time trying (uselessly) to repro your
issue without them.

------
tinus_hn
If you don’t know the host key you are always vulnerable to a man in the
middle attack. Is this really a vulnerability in Putty or a design weakness in
SSH?

~~~
gruez
It's an intentional design decision. Unlike https, ssh doesn't typically use
x509 certificates for authentication, so there's no real way to know whether
you're MITM if you're making a connection for the first time.

~~~
tptacek
Modern SSH of course does support certificates --- SSH certificates aren't
X.509 --- which solve this problem, the key management problem, and the long-
term SSH key hazmat problem. Probably, SSH certificates are what we should
have been using all along.

------
Kenji
The article is so low on details. I wish there was a more in-depth
explanation. Isn't the first connection (with unknown host key) always a
target for MitM attacks and thus insecure, unless you preload the host key?

~~~
Randor
Yes,

That is exactly the reported issue here. PuTTY 0.68 through 0.73 allows the
remote attacker to accurately determine whether or not the client has cached
the host key. It looks like this works because PuTTY sends a different
algorithm list depending on whether or not the key has been cached.

If the MiTM attacker sees the 'default algorithm list' it can be assumed that
this is the first connection attempt and the attacker can substitute the
server key with a compromised key.

~~~
8organicbits
Ah, that's cool. I pushed AWS to give better ways of getting the host key for
new EC2 instances a few years back. The whole start an EC2 instance, SSH in
and blinkly trust the host key on first use thing seemed terrible!

EC2 docs now include that detail, although its labeled as optional.

[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connecti...](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connection-
prereqs.html#connection-prereqs-fingerprint)

------
maxheadrum
Does anyone else get sketched out about downloading putty from the official
URL? I know its been around for awhile, but still seems like a suspect URL for
such a popular program.

~~~
gnu8
Everyone recognizes that URL. It would be more suspect to download PuTTY from
anywhere else.

~~~
pmoriarty
As an infrequent user of PuTTY, I don't recognize that URL. So I guess I'm not
part of the "everyone" you're talking about.

On the other hand, I think it's absolutely ridiculous to base one's security
around URL recognition, considering all the possible attacks against domain
names and URLs.

Cryptographic signatures in a web of trust would be a big step forward here,
but unfortunately relatively few people participate.

------
nickysielicki
There's a lot said about the benefits of competing implementations: browsers,
web frameworks, what-have-you.

There are certain categories of security-critical software where I feel like
it's only increasing surface area for bugs. The idea that PuTTY has bugs that
aren't originating from the openssh project is really bothersome to me. All
that work to reimplement, for what?

~~~
reificator
> _The idea that PuTTY has bugs that aren 't originating from the openssh
> project is really bothersome to me. All that work to reimplement, for what?_

Agreed. OpenSSH wasted a lot of needless effort reimplementing PuTTY. Except
now that you know the timeline is reversed I expect your opinion on
reimplementation to suddenly 180 as well.

> PuTTY Initial Release: January 8, 1999

> OpenSSH Initial Release: 1 December 1999

Via Wikipedia

~~~
saltcured
Note, OpenSSH wasn't brand new code on its first release. It was forked from
the original SSH software from a version before it went commercial. I can't
remember the whole history of that earlier open source project, but I can
remember that I installed it on a university workstation in mid 1996.

