openSSH and SLOTH vulnerability
Jakub Jelen
jjelen at redhat.com
Tue Jan 19 02:21:42 AEDT 2016
On 01/18/2016 10:39 AM, Sandeep Umesh wrote:
> 1. For SSH2 exposure for the (CVE-2015-7575) SLOTH (
> http://www.mitls.org/pages/attacks/SLOTH), the chart in that URL
> identifies a downgrade attack for SSH2 protocol, Key Exchange Integrity
> SHA1. Is the remediation for that vulnerability to modify the config
> files to remove the MD5 and SHA1 as MAC's (Message Authentication Codes) ?
No. It is not about HMACs used in the transport protocol,
but about DH authentication codes. They are
part of the KEX algoritms, such as diffie-hellman-group1-sha1 or
diffie-hellman-group-exchange-sha256, where the SHA1 is vulnerable to
downgrade attack, as described in the paper [1]. You can remove
diffie-hellman-group14-sha1 from default KexAlgorithms list,
but you might end up not able to connect to some servers.
> 2. Is there any exposure related to using the ssh-keygen for the initial
> creation of the public/private key pairs or the exposure of the related
> fingerprint used (https://en.wikipedia.org/wiki/Public_key_fingerprint) ?
This is completely unrelated. Attacker as a MitM can tamper with
both client and server cipher-suites during key exchange and might
downgrade the negotiate ciphersuite to a weak cryptographic algorithm
that he knows how to break. It is based on the knowledge of server and
client identification strings, if I am right.
It is still more theoretical since it needs a lot of work per connection
(2^77),
which is less then the 2^160 as should sha1 provide, but still more than is
should feasible.
Feel free to correct me if I read the report wrong at some point.
[1] http://www.mitls.org/downloads/transcript-collisions.pdf
Regards,
--
Jakub Jelen
Security Technologies
Red Hat
More information about the openssh-unix-dev
mailing list