| View previous topic :: View next topic |
| Author |
Message |
Simon Sibbez
Guest
|
 Posted: Tue Nov 18, 2008 11:28 pm Post subject: new openssh trouble? |
 |
|
Hi list,
see http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
S. |
|
| |
|
 Back to top |
Loki Harfagr
Guest
|
| Posted: Wed Nov 19, 2008 8:42 am Post subject: Re: new openssh trouble? |
|
|
Tue, 18 Nov 2008 18:28:40 +0100, Simon Sibbez did catĀ :
| Quote: | Hi list,
see http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
S.
|
I'd block in the sshd_config:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr |
|
| |
|
| Back to top |
Res
Guest
|
| Posted: Thu Nov 20, 2008 3:07 am Post subject: Re: new openssh trouble? |
|
|
On Thu, 20 Nov 2008, Simon Sibbez wrote:
| Quote: | start
What is affected?
-----------------
The attack was verified against the following product version running
on Debian GNU/Linux
/end
"We expect any RFC-compliant SSH implementation to be vulnerable
to some form of the attack."
|
Dangerous statement to make though since they only tested debian systems :)
--
Res
If you are not part of the solution, then you are part of the problem!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean. |
|
| |
|
| Back to top |
Simon Sibbez
Guest
|
| Posted: Thu Nov 20, 2008 7:23 am Post subject: Re: new openssh trouble? |
|
|
Res wrote:
| Quote: | On Wed, 19 Nov 2008, Loki Harfagr wrote:
Tue, 18 Nov 2008 18:28:40 +0100, Simon Sibbez did cat :
Hi list,
see http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
S.
I'd block in the sshd_config:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
start
What is affected?
-----------------
The attack was verified against the following product version running
on Debian GNU/Linux
/end
|
"We expect any RFC-compliant SSH implementation to be vulnerable
to some form of the attack."
| Quote: | Why does that not really surprise anyone?
...and 4.7 is old, oh wait, again, they did say debian discovery
didn't they 
|
Even if they rate a successful attack LOW, IMHO it's still worth
mentioning. And it'll hit CVE sooner rather than later anyway (and I'm
always happily bashing Debian Stale as well), so ;p
S. |
|
| |
|
| Back to top |
Loki Harfagr
Guest
|
| Posted: Thu Nov 20, 2008 8:35 am Post subject: Re: new openssh trouble? |
|
|
Thu, 20 Nov 2008 02:23:37 +0100, Simon Sibbez did catĀ :
| Quote: | Res wrote:
On Wed, 19 Nov 2008, Loki Harfagr wrote:
Tue, 18 Nov 2008 18:28:40 +0100, Simon Sibbez did catĀ :
Hi list,
see http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
S.
I'd block in the sshd_config:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
start
What is affected?
-----------------
The attack was verified against the following product version running
on Debian GNU/Linux
/end
"We expect any RFC-compliant SSH implementation to be vulnerable to some
form of the attack."
Why does that not really surprise anyone?
...and 4.7 is old, oh wait, again, they did say debian discovery didn't
they :)
Even if they rate a successful attack LOW, IMHO it's still worth
mentioning. And it'll hit CVE sooner rather than later anyway (and I'm
always happily bashing Debian Stale as well), so ;p
S.
|
Still it is not an extreme emergency, as the attack possibility
can be avoided with an easy server setting (quoted somewhere upwards),
so that time it shouldn't shamble all the net with smokescreen
and the devs will have some time to prepare a repair without
introducing new "features" (hope so  |
|
| |
|
| Back to top |
Mikhail Zotov
Guest
|
| Posted: Thu Nov 20, 2008 2:56 pm Post subject: Re: new openssh trouble? |
|
|
On 19 Nov 2008 08:41:48 GMT
Loki Harfagr <l0k1@thedarkdesign.free.fr.INVALID> wrote:
| Quote: | Tue, 18 Nov 2008 18:28:40 +0100, Simon Sibbez did cat:
Hi list,
see http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
S.
I'd block in the sshd_config:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
|
Are you sure? A quotation from http://ssh.com/company/news/article/953/
"
An immediate workaround is to refrain from using CBC mode block ciphers
in Secure Shell (SSH) sessions.
"
Then they say:
"
In practice this is achievable ... by utilizing either
CryptiCore or Arcfour encryption algorithms.
"
AFAIK, CryptiCore is not available in openssh.
As for Acrfour, according to Wikipedia,
"
While remarkable for its simplicity and speed in software, RC4 is vulnerable
to attacks when the beginning of the output keystream is not discarded, or a
single keystream is used twice...
"
[http://en.wikipedia.org/wiki/Arcfour]
On a good side, Slackware doesn't use openssh-4.7, and I am sure guys from
the openssh project are testing whether version 5.1/5.1p1 is vulnerable to
the new attack.
Cheers,
Mikhail |
|
| |
|
| Back to top |
Loki Harfagr
Guest
|
| Posted: Thu Nov 20, 2008 4:23 pm Post subject: Re: new openssh trouble? |
|
|
Thu, 20 Nov 2008 11:56:24 +0300, Mikhail Zotov did catĀ :
| Quote: | On 19 Nov 2008 08:41:48 GMT
Loki Harfagr <l0k1@thedarkdesign.free.fr.INVALID> wrote:
Tue, 18 Nov 2008 18:28:40 +0100, Simon Sibbez did catĀ :
Hi list,
see http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
S.
I'd block in the sshd_config:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Are you sure?
|
yes :-)
| Quote: | A quotation from http://ssh.com/company/news/article/953/
"
An immediate workaround is to refrain from using CBC mode block ciphers
in Secure Shell (SSH) sessions.
|
yes, then use CTR
and on the client side, also set the same in /etc/ssh/ssh_config:
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
| Quote: | "
Then they say:
"
In practice this is achievable ... by utilizing either CryptiCore or
Arcfour encryption algorithms. "
|
you forgot in your "..." that the sentence is applied to
the restricted set: " with the SSH Tectia products ".
....
| Quote: | On a good side, Slackware doesn't use openssh-4.7, and I am sure guys
from the openssh project are testing whether version 5.1/5.1p1 is
vulnerable to the new attack.
|
hopefully
though, in the CPNI Vulnerability Advisory they write the
somewhat fuzzy set of appliance:
"
Other versions are also affected. Other implementations of the SSH
protocol may also be affected.
"
then... better -ctr than sorry ;-)
and on the client side, also set the same in /etc/ssh/ssh_config:
Ciphers aes256-ctr,aes192-ctr,aes128-ctr |
|
| |
|
| Back to top |
Robby Workman
Guest
|
| Posted: Fri Nov 21, 2008 10:59 pm Post subject: Re: new openssh trouble? |
|
|
On 2008-11-18, Simon Sibbez <simon.sibbez@buerotiger.de> wrote:
| Quote: |
see http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
|
http://marc.info/?l=openssh-unix-dev&m=122726312825043&w=2
-RW |
|
| |
|
| Back to top |
Theodore Heise
Guest
|
| Posted: Sun Nov 23, 2008 7:19 pm Post subject: Re: new openssh trouble? |
|
|
On Fri, 21 Nov 2008 16:59:26 +0000,
Robby Workman <newsgroups@rlworkman.net> wrote:
| Quote: | On 2008-11-18, Simon Sibbez <simon.sibbez@buerotiger.de> wrote:
see http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
http://marc.info/?l=openssh-unix-dev&m=122726312825043&w=2
|
Thanks, Robby. Very helpful information.
--
Theodore (Ted) Heise <theo@heise.nu> Bloomington, IN, USA |
|
| |
|
| Back to top |
|
