Announce: OpenSSH 7.5 released

[Damien Miller]

On Tue, 21 Mar 2017, Jakub Jelen wrote:

> On 03/20/2017 02:31 PM, Damien Miller wrote:
> > OpenSSH 7.5 has just been released. It will be available from the
> > mirrors listed at http://www.openssh.com/ shortly.
> > 
> > 
> > Security
> > --------
> > 
> >  * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
> >    that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
> >    Note that the OpenSSH client disables CBC ciphers by default, sshd
> >    offers them as lowest-preference options and will remove them by
> >    default entriely in the next release. Reported by Jean Paul
> >    Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
> >    Royal Holloway, University of London.
> 
> Can we get some clarification on this CBC weakness from you or from the
> reporters? There is no update in the security page according to this security
> issue.

I've asked Kenny Paterson if he has some details he can share. Otherwise
I'll write something up. The impact is similar to the original CBC padding
attack:

http://www.openssh.com/txt/cbc.adv
http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf

> So far I understood that the CBC modes are disabled because we have better
> ciphers to choose from. Also I still have understanding that any of the
> attacks presented so far were not feasible. Did it change?

They're borderline feasible in the case of client/server pairs that retry
endlessly and carry private data. IIRC the cost of mounting the attack is
in the order of hundreds of thousands of disrupted connections per word
pilfered.

The main thing that convinced us to un-default the remaining CBC
ciphers in the next release is that the countermeasures code has needed
repair multiple times. IMO this is a signal that we're wasting effort on
something that is 1) providing a false sense of security and 2) keeping
CBC on life-support in the wider SSH ecosystem when we should be pulling
the plug.

-d