1 | ============================================================================ |
---|
2 | |
---|
3 | CORE SDI S.A. |
---|
4 | Buenos Aires, Argentina |
---|
5 | <http://www.core-sdi.com> |
---|
6 | |
---|
7 | |
---|
8 | SSH insertion attack detection |
---|
9 | ============================================================================ |
---|
10 | |
---|
11 | |
---|
12 | Crc32 Compensation attack detector |
---|
13 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
---|
14 | This document describes the scope and characteristics of SSH crc32 |
---|
15 | compensation attack detector engine. It will inspect an encrypted SSH protocol |
---|
16 | 1.5 stream for suspicious patterns. If either the server or client is under |
---|
17 | attack, the detector closes the conection and logs the attack. |
---|
18 | |
---|
19 | |
---|
20 | Attack characteristics |
---|
21 | ~~~~~~~~~~~~~~~~~~~~~~ |
---|
22 | An attacker, with sniffing and spoofing capabilities on the SSH network stream, may perform an active network attack by constructing a packet using a |
---|
23 | known cipher/plaintext pair and computing addditional data to fill the packet |
---|
24 | in a way that will produce a valid CRC-32 field and pass as a valid packet when |
---|
25 | decryped and integrity checked on the server side. |
---|
26 | If the attack succeeds, arbitrary commands will get executed on the server. |
---|
27 | |
---|
28 | This attack doesnt affect the confidential security characteristics of the |
---|
29 | products using this protocols. However, integrity and authentication |
---|
30 | of packets can no longer be trusted. |
---|
31 | |
---|
32 | Solution |
---|
33 | ~~~~~~~~ |
---|
34 | This is not an implementation bug, but a protocol design vulnerability. The |
---|
35 | protocol must be updated to use cryptographic strong message authentication |
---|
36 | codes. SSH Protocol version 2 as published in [1] includes the use of a real |
---|
37 | strong MAC. |
---|
38 | However, this will require to update all clients and servers simultaneusly |
---|
39 | while disabling compatibility with protocol version 1.5. On many installations |
---|
40 | this is not practical. |
---|
41 | |
---|
42 | A mid-term solution exists, that will help protecting the server from the |
---|
43 | auth/integrity vulnerabilities. On most scenarios it will be enough to upgrade |
---|
44 | only the servers. |
---|
45 | |
---|
46 | This approach is based on the fact that an attacker will need to exploit some |
---|
47 | of the linear characteristics of the integrity function in order to implement |
---|
48 | the attack. In that context, the constructed packets will follow certain |
---|
49 | patterns that could be detected on the encrypted stream. |
---|
50 | |
---|
51 | This is not a general solution, but a countermeasure against a model of all |
---|
52 | of the possible attacks that exploits this vulnerabilities. |
---|
53 | |
---|
54 | The provided patch looks for patterns of repeated ciphered blocks in |
---|
55 | each SSH packet received, the performance loss in speed is less 2% in an |
---|
56 | uncompressed stream compared to an unpatched server. Memory usage increases |
---|
57 | in about 8k per conection. |
---|
58 | The chances of reporting a false attack in a 32GB file transfer is around |
---|
59 | 1 in 2**51. |
---|
60 | |
---|
61 | Contact information |
---|
62 | ~~~~~~~~~~~~~~~~~~~ |
---|
63 | |
---|
64 | These vulnerabilities were discovered by Ariel Futoransky |
---|
65 | and Emiliano Kargieman. |
---|
66 | |
---|
67 | Comments and questions regarding this vulnerability and the fix |
---|
68 | should be sent to: |
---|
69 | |
---|
70 | Ariel Futoransky <futo@core-sdi.com> |
---|
71 | Emiliano Kargieman <ek@core-sdi.com> |
---|
72 | |
---|
73 | For more information about CORE SDI S.A. contact <core@core-sdi.com> |
---|
74 | or visit <http://www.core-sdi.com> |
---|
75 | |
---|
76 | For more information about this problem and related ones visit: |
---|
77 | |
---|
78 | <http://www.core-sdi.com/ssh> |
---|
79 | |
---|
80 | You can contact CORE SDI S.A. at <corelabs@core-sdi.com> using the |
---|
81 | the following PGP key: |
---|
82 | |
---|
83 | -----BEGIN PGP PUBLIC KEY BLOCK----- |
---|
84 | Version: 2.6.3ia |
---|
85 | Comment: Requires PGP version 2.6 or later. |
---|
86 | |
---|
87 | mQCNAzVgfMgAAAEEAJSfJNdvCwIAc4AK0ckeimubLIwzsRVDRhjPQIOYt/7kxxio |
---|
88 | DZybr53fwMEjyT8cHXRL08i0R9rcuFeCNAez6XcalbhqUKXDcLL/cZK80CCDSCs5 |
---|
89 | tRCZGGOEBnXQIoyvbvi4gNYhBS5wUvmh3b/mvRFTvhmRrUy9m/nO/LnPTgz1AAUR |
---|
90 | tCBDT1JFTEFCUyA8Y29yZWxhYnNAY29yZS1zZGkuY29tPokAlQMFEDVgfMn5zvy5 |
---|
91 | z04M9QEBC6ED/0Szt3f54JTvkZG3ezQ8G60HvAw4/A5Ti6i3oze6jsXxzGp6pA1x |
---|
92 | i0jaZpKaUSpo0MLc7BcijMKneuUHnN3XtN5YxtFt0aEoot1MIvv4BsdeUb3x257G |
---|
93 | 3+vr8SxGk44Vm4tfuN8F/2dNo/00yYP9rd3zQ8Tl+gmr5VxnLViZIDuh |
---|
94 | =ulRg |
---|
95 | -----END PGP PUBLIC KEY BLOCK----- |
---|
96 | |
---|
97 | Copyright |
---|
98 | ~~~~~~~~~ |
---|
99 | |
---|
100 | This file, deattack.c and deattack.h are copyright (c) 1998 |
---|
101 | CORE SDI S.A., Buenos Aires, Argentina. All rights reserved. |
---|
102 | and should be redistributed or modified for non-commercial purposes only |
---|
103 | provided that this copyright notice is retained. |
---|
104 | |
---|
105 | THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES |
---|
106 | ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT, |
---|
107 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING |
---|
108 | FROM THE USE OR MISUSE OF THIS SOFTWARE. |
---|
109 | |
---|