dcsimg
Linux Today: Linux News On Internet Time.




Current Newswire:

More on LinuxToday

Progeny Security Advisory: OpenSSH subject to traffic analysis

Apr 13, 2001, 09:30 (0 Talkback[s]) 
Date:         Thu, 12 Apr 2001 14:03:53 -0500
From: Progeny Security Team <security@PROGENY.COM>
Subject:      PROGENY-SA-2001-04: OpenSSH subject to traffic analysis
PROGENY LINUX SYSTEMS -- SECURITY ADVISORY PROGENY-SA-2001-04

Topic: OpenSSH subject to traffic analysis

    Category:       net
    Module:         openssh
    Announced:      2001-04-12
    Credits:        Solar Designer <solar@openwall.com>
                    BugTraq Mailing List <bugtraq@securityfocus.com>
    Affects:        Progeny Debian (openssh prior to 2.5.2p2-0progeny1)
                    Debian GNU/Linux (openssh prior to 2.5.2)
    Vendor-Status:  New Version Released (openssh_2.5.2p2-0progeny1)
    Corrected:      2001-04-12

Progeny Only: NO

$Id: PROGENY-SA-2001-04,v 1.8 2001/04/12 18:02:02 jdaily Exp $

SYNOPSIS

A number of security problems existed in previous versions of OpenSSH which would allow an attacker obtain sensitive information by passively monitoring the encrypted SSH (Secure Shell) sessions.

PROBLEM DESCRIPTION

Solar Designer has conducted a very thorough analysis of several weaknesses in implementations of the SSH protocol. These weaknesses allow for an attacker to significantly speed up brute force attacks on passwords. Solar Designer's complete analysis can be found at the following page:

http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt

In February of 2001, Core SDI released a security announcement which described ways in which would allow an attacker to compromise the session of an SSH protocol 1.5 session. The detailed report is at the following URL:

http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm

IMPACT

Shortcomings in the OpenSSH implementation of the SSH protocol allow malicious third parties to compromise sensitive data.

SOLUTION

Upgrade to a fixed version of OpenSSH. You may use Progeny's OpenSSH package, version openssh_2.5.2p2-0progeny1, for convenience.

WORKAROUND

There is no known satisfactory work around at this time.

UPDATING VIA APT-GET

  1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's security update repository:

deb http://archive.progeny.com/progeny updates/newton/

2. Update your cache of available packages for apt(8).

Example:

# apt-get update

3. Using apt(8), install the new ssh package. apt(8) will download

the update, verify it's integrity with md5, and then install the package on your system with dpkg(8).

Example:

# apt-get install ssh

UPDATING VIA DPKG

  1. Using your preferred FTP/HTTP client to retrieve the following updated files from Progeny's update archive at:

http://archive.progeny.com/pub/progeny/updates/newton/

    Filename                             MD5 Checksum

http://ssh_2.5.2p2-0progeny1_i386.deb       c64fdf411514850f3854a6395c5e178c

Example:

# wget http://archive.progeny.com/progeny/updates/newton/ssh_2.5.2p2-0progeny1_i386.deb

2. Use the md5sum command on the retrieved file to verify that it matches

the md5sum provided in this advisory:

Example:

# md5sum ssh_2.5.2p2-0progeny1_i386.deb

3. Then install the replacement package(s) using the dpkg command.

Example:

# dpkg --install ssh_2.5.2p2-0progeny1_i386.deb

MORE INFORMATION

There is no more information available at this time.

pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com>