[11647] | 1 | ============================================================================ |
---|
| 2 | |
---|
| 3 | CORE SDI S.A. |
---|
| 4 | Buenos Aires, Argentina |
---|
| 5 | <http://www.core-sdi.com> |
---|
| 6 | |
---|
| 7 | |
---|
| 8 | SSH insertion attack detection |
---|
| 9 | ============================================================================ |
---|
| 10 | |
---|
| 11 | |
---|
| 12 | Crc32 Compensation attack detector |
---|
| 13 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
---|
| 14 | This document describes the scope and characteristics of SSH crc32 |
---|
| 15 | compensation attack detector engine. It will inspect an encrypted SSH protocol |
---|
| 16 | 1.5 stream for suspicious patterns. If either the server or client is under |
---|
| 17 | attack, the detector closes the conection and logs the attack. |
---|
| 18 | |
---|
| 19 | |
---|
| 20 | Attack characteristics |
---|
| 21 | ~~~~~~~~~~~~~~~~~~~~~~ |
---|
| 22 | An attacker, with sniffing and spoofing capabilities on the SSH network stream, may perform an active network attack by constructing a packet using a |
---|
| 23 | known cipher/plaintext pair and computing addditional data to fill the packet |
---|
| 24 | in a way that will produce a valid CRC-32 field and pass as a valid packet when |
---|
| 25 | decryped and integrity checked on the server side. |
---|
| 26 | If the attack succeeds, arbitrary commands will get executed on the server. |
---|
| 27 | |
---|
| 28 | This attack doesnt affect the confidential security characteristics of the |
---|
| 29 | products using this protocols. However, integrity and authentication |
---|
| 30 | of packets can no longer be trusted. |
---|
| 31 | |
---|
| 32 | Solution |
---|
| 33 | ~~~~~~~~ |
---|
| 34 | This is not an implementation bug, but a protocol design vulnerability. The |
---|
| 35 | protocol must be updated to use cryptographic strong message authentication |
---|
| 36 | codes. SSH Protocol version 2 as published in [1] includes the use of a real |
---|
| 37 | strong MAC. |
---|
| 38 | However, this will require to update all clients and servers simultaneusly |
---|
| 39 | while disabling compatibility with protocol version 1.5. On many installations |
---|
| 40 | this is not practical. |
---|
| 41 | |
---|
| 42 | A mid-term solution exists, that will help protecting the server from the |
---|
| 43 | auth/integrity vulnerabilities. On most scenarios it will be enough to upgrade |
---|
| 44 | only the servers. |
---|
| 45 | |
---|
| 46 | This approach is based on the fact that an attacker will need to exploit some |
---|
| 47 | of the linear characteristics of the integrity function in order to implement |
---|
| 48 | the attack. In that context, the constructed packets will follow certain |
---|
| 49 | patterns that could be detected on the encrypted stream. |
---|
| 50 | |
---|
| 51 | This is not a general solution, but a countermeasure against a model of all |
---|
| 52 | of the possible attacks that exploits this vulnerabilities. |
---|
| 53 | |
---|
| 54 | The provided patch looks for patterns of repeated ciphered blocks in |
---|
| 55 | each SSH packet received, the performance loss in speed is less 2% in an |
---|
| 56 | uncompressed stream compared to an unpatched server. Memory usage increases |
---|
| 57 | in about 8k per conection. |
---|
| 58 | The chances of reporting a false attack in a 32GB file transfer is around |
---|
| 59 | 1 in 2**51. |
---|
| 60 | |
---|
| 61 | Contact information |
---|
| 62 | ~~~~~~~~~~~~~~~~~~~ |
---|
| 63 | |
---|
| 64 | These vulnerabilities were discovered by Ariel Futoransky |
---|
| 65 | and Emiliano Kargieman. |
---|
| 66 | |
---|
| 67 | Comments and questions regarding this vulnerability and the fix |
---|
| 68 | should be sent to: |
---|
| 69 | |
---|
| 70 | Ariel Futoransky <futo@core-sdi.com> |
---|
| 71 | Emiliano Kargieman <ek@core-sdi.com> |
---|
| 72 | |
---|
| 73 | For more information about CORE SDI S.A. contact <core@core-sdi.com> |
---|
| 74 | or visit <http://www.core-sdi.com> |
---|
| 75 | |
---|
| 76 | For more information about this problem and related ones visit: |
---|
| 77 | |
---|
| 78 | <http://www.core-sdi.com/ssh> |
---|
| 79 | |
---|
| 80 | You can contact CORE SDI S.A. at <corelabs@core-sdi.com> using the |
---|
| 81 | the following PGP key: |
---|
| 82 | |
---|
| 83 | -----BEGIN PGP PUBLIC KEY BLOCK----- |
---|
| 84 | Version: 2.6.3ia |
---|
| 85 | Comment: Requires PGP version 2.6 or later. |
---|
| 86 | |
---|
| 87 | mQCNAzVgfMgAAAEEAJSfJNdvCwIAc4AK0ckeimubLIwzsRVDRhjPQIOYt/7kxxio |
---|
| 88 | DZybr53fwMEjyT8cHXRL08i0R9rcuFeCNAez6XcalbhqUKXDcLL/cZK80CCDSCs5 |
---|
| 89 | tRCZGGOEBnXQIoyvbvi4gNYhBS5wUvmh3b/mvRFTvhmRrUy9m/nO/LnPTgz1AAUR |
---|
| 90 | tCBDT1JFTEFCUyA8Y29yZWxhYnNAY29yZS1zZGkuY29tPokAlQMFEDVgfMn5zvy5 |
---|
| 91 | z04M9QEBC6ED/0Szt3f54JTvkZG3ezQ8G60HvAw4/A5Ti6i3oze6jsXxzGp6pA1x |
---|
| 92 | i0jaZpKaUSpo0MLc7BcijMKneuUHnN3XtN5YxtFt0aEoot1MIvv4BsdeUb3x257G |
---|
| 93 | 3+vr8SxGk44Vm4tfuN8F/2dNo/00yYP9rd3zQ8Tl+gmr5VxnLViZIDuh |
---|
| 94 | =ulRg |
---|
| 95 | -----END PGP PUBLIC KEY BLOCK----- |
---|
| 96 | |
---|
| 97 | Copyright |
---|
| 98 | ~~~~~~~~~ |
---|
| 99 | |
---|
| 100 | This file, deattack.c and deattack.h are copyright (c) 1998 |
---|
| 101 | CORE SDI S.A., Buenos Aires, Argentina. All rights reserved. |
---|
| 102 | and should be redistributed or modified for non-commercial purposes only |
---|
| 103 | provided that this copyright notice is retained. |
---|
| 104 | |
---|
| 105 | THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES |
---|
| 106 | ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT, |
---|
| 107 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING |
---|
| 108 | FROM THE USE OR MISUSE OF THIS SOFTWARE. |
---|
| 109 | |
---|