openSSH and SLOTH vulnerability

Jakub Jelen jjelen at redhat.com
Tue Jan 19 02:21:42 AEDT 2016


On 01/18/2016 10:39 AM, Sandeep Umesh wrote:
> 1. For SSH2 exposure for the (CVE-2015-7575) SLOTH (
> http://www.mitls.org/pages/attacks/SLOTH), the chart in that URL
> identifies a downgrade attack for SSH2 protocol, Key Exchange Integrity
> SHA1.  Is the remediation for that vulnerability to modify the config
> files to remove the MD5 and SHA1 as MAC's (Message Authentication Codes) ?
No. It is not about HMACs used in the transport protocol,
but about DH authentication codes. They are
part of the KEX algoritms, such as diffie-hellman-group1-sha1 or
diffie-hellman-group-exchange-sha256, where the SHA1 is vulnerable to
downgrade attack, as described in the paper [1]. You can remove
diffie-hellman-group14-sha1 from default KexAlgorithms list,
but you might end up not able to connect to some servers.
> 2. Is there any exposure related to using the ssh-keygen for the initial
> creation of the public/private key pairs or the exposure of the related
> fingerprint used (https://en.wikipedia.org/wiki/Public_key_fingerprint) ?
This is completely unrelated. Attacker as a MitM can tamper with
both client and server cipher-suites during key exchange and might
downgrade the negotiate ciphersuite to a weak cryptographic algorithm
that he knows how to break. It is based on the knowledge of server and
client identification strings, if I am right.

It is still more theoretical since it needs a lot of work per connection 
(2^77),
which is less then the 2^160 as should sha1 provide, but still more than is
should feasible.

Feel free to correct me if I read the report wrong at some point.

[1] http://www.mitls.org/downloads/transcript-collisions.pdf

Regards,

-- 
Jakub Jelen
Security Technologies
Red Hat



More information about the openssh-unix-dev mailing list