Progeny Security Advisory: OpenSSH subject to traffic analysis

Date:         Thu, 12 Apr 2001 14:03:53 -0500
From: Progeny Security Team <security@PROGENY.COM>
Subject:      PROGENY-SA-2001-04: OpenSSH subject to traffic analysis

---

PROGENY LINUX SYSTEMS — SECURITY ADVISORY
PROGENY-SA-2001-04

Topic: OpenSSH subject to traffic analysis

    Category:       net
    Module:         openssh
    Announced:      2001-04-12
    Credits:        Solar Designer <solar@openwall.com>
                    BugTraq Mailing List <bugtraq@securityfocus.com>
    Affects:        Progeny Debian (openssh prior to 2.5.2p2-0progeny1)
                    Debian GNU/Linux (openssh prior to 2.5.2)
    Vendor-Status:  New Version Released (openssh_2.5.2p2-0progeny1)
    Corrected:      2001-04-12

Progeny Only: NO

$Id: PROGENY-SA-2001-04,v 1.8 2001/04/12 18:02:02 jdaily Exp
$

---

SYNOPSIS

A number of security problems existed in previous versions of
OpenSSH which would allow an attacker obtain sensitive information
by passively monitoring the encrypted SSH (Secure Shell)
sessions.

PROBLEM DESCRIPTION

Solar Designer has conducted a very thorough analysis of several
weaknesses in implementations of the SSH protocol. These weaknesses
allow for an attacker to significantly speed up brute force attacks
on passwords. Solar Designer’s complete analysis can be found at
the following page:

http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt

In February of 2001, Core SDI released a security announcement
which described ways in which would allow an attacker to compromise
the session of an SSH protocol 1.5 session. The detailed report is
at the following URL:

http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm

IMPACT

Shortcomings in the OpenSSH implementation of the SSH protocol
allow malicious third parties to compromise sensitive data.

SOLUTION

Upgrade to a fixed version of OpenSSH. You may use Progeny’s
OpenSSH package, version openssh_2.5.2p2-0progeny1, for
convenience.

WORKAROUND

There is no known satisfactory work around at this time.

UPDATING VIA APT-GET

1. Ensure that your /etc/apt/sources.list file has a URI for
   Progeny’s security update repository:

deb http://archive.progeny.com/progeny updates/newton/

2. Update your cache of available packages for apt(8).

Example:

# apt-get update

3. Using apt(8), install the new ssh package. apt(8) will
download

the update, verify it’s integrity with md5, and then install the
package on your system with dpkg(8).

Example:

# apt-get install ssh

UPDATING VIA DPKG

1. Using your preferred FTP/HTTP client to retrieve the following
   updated files from Progeny’s update archive at:

http://archive.progeny.com/pub/progeny/updates/newton/

    Filename                             MD5 Checksum

---

http://ssh_2.5.2p2-0progeny1_i386.deb       c64fdf411514850f3854a6395c5e178c

Example:

# wget
http://archive.progeny.com/progeny/updates/newton/ssh_2.5.2p2-0progeny1_i386.deb

2. Use the md5sum command on the retrieved file to verify that
it matches

the md5sum provided in this advisory:

Example:

# md5sum ssh_2.5.2p2-0progeny1_i386.deb

3. Then install the replacement package(s) using the dpkg
command.

Example:

# dpkg –install ssh_2.5.2p2-0progeny1_i386.deb

MORE INFORMATION

There is no more information available at this time.

---

pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com>