

OpenSSH Design Flaw Discovered - durin42
http://news.zdnet.com/2100-9595_22-303182.html

======
tptacek
Working on a blog post on this now --- actually a response to Atwood's recent
craziness --- but you should know this is a general attack, and a well-known
one, which I know as "error oracle attacks", but might have a better formal
name.

Long story short: you can't generate error messages that reveal whether
messages decrypted properly, or attackers can permute and reply valid messages
and use them to reveal plaintext. This touches on the same radioactive mistake
Atwood made earlier this week, but even if you don't make his mistake, there
are simplier implementation errors you can make that have the same impact.

A good deck from 2005, from the same group cited here:

[http://eprints.rhul.ac.uk/638/1/Error_oracle_attacks_050729_...](http://eprints.rhul.ac.uk/638/1/Error_oracle_attacks_050729_rev.pdf)

I could dispute whether this is really a "design error" in OpenSSH, in that
you wouldn't want to imply that this was particularly hard to fix; the fix,
for instance, won't break compatibility.

------
blogimus
The OpenSSH security page has more useful information and a link to the
advisory (posted last November).

<http://www.openssh.com/security.html>

Would have been nice for the zdnet article to provide a link to it.

~~~
rythie
On: <http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt>

It says: "The most straightforward solution is to use CTR mode instead of CBC
mode, since this renders SSH resistant to the attack."

there is also this page: <http://www.openssh.com/txt/cbc.adv>

both one level down from that one.

------
eli
(off-topic, but it's amusing how their comment system removes the word "chink"
from all comments even though it's the first word of the title of the
article.)

------
jkcunningham
It says it is in SSH 4.7. I just checked and I'm already up to version 5.1. on
a 2.6.26-1 system. How dated is this problem?

~~~
mrduncan
This is a flaw in the SSH standard itself, not in a specific version of
software. Countermeasures have been put in place to mitigate the flaw in
OpenSSH however.

 _"They've fixed [OpenSSH]; they've put countermeasures in place to stop our
attack," said Patterson. "But the standard has not changed."_

------
astrodust
The article appears to have been removed.

"We were unable to find the page you requested."

