Date: Thu, 12 Apr 2001 14:03:53 -0500 From: Progeny Security Team <security@PROGENY.COM> Subject: PROGENY-SA-2001-04: OpenSSH subject to traffic analysis
PROGENY LINUX SYSTEMS — SECURITY ADVISORY
PROGENY-SA-2001-04
Topic: OpenSSH subject to traffic analysis
Category: net
Module: openssh
Announced: 2001-04-12
Credits: Solar Designer <solar@openwall.com>
BugTraq Mailing List <bugtraq@securityfocus.com>
Affects: Progeny Debian (openssh prior to 2.5.2p2-0progeny1)
Debian GNU/Linux (openssh prior to 2.5.2)
Vendor-Status: New Version Released (openssh_2.5.2p2-0progeny1)
Corrected: 2001-04-12
Progeny Only: NO
$Id: PROGENY-SA-2001-04,v 1.8 2001/04/12 18:02:02 jdaily Exp
$
SYNOPSIS
A number of security problems existed in previous versions of
OpenSSH which would allow an attacker obtain sensitive information
by passively monitoring the encrypted SSH (Secure Shell)
sessions.
PROBLEM DESCRIPTION
Solar Designer has conducted a very thorough analysis of several
weaknesses in implementations of the SSH protocol. These weaknesses
allow for an attacker to significantly speed up brute force attacks
on passwords. Solar Designer’s complete analysis can be found at
the following page:
http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt
In February of 2001, Core SDI released a security announcement
which described ways in which would allow an attacker to compromise
the session of an SSH protocol 1.5 session. The detailed report is
at the following URL:
http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm
IMPACT
Shortcomings in the OpenSSH implementation of the SSH protocol
allow malicious third parties to compromise sensitive data.
SOLUTION
Upgrade to a fixed version of OpenSSH. You may use Progeny’s
OpenSSH package, version openssh_2.5.2p2-0progeny1, for
convenience.
WORKAROUND
There is no known satisfactory work around at this time.
UPDATING VIA APT-GET
- Ensure that your /etc/apt/sources.list file has a URI for
Progeny’s security update repository:
deb http://archive.progeny.com/progeny updates/newton/
2. Update your cache of available packages for apt(8).
Example:
# apt-get update
3. Using apt(8), install the new ssh package. apt(8) will
download
the update, verify it’s integrity with md5, and then install the
package on your system with dpkg(8).
Example:
# apt-get install ssh
UPDATING VIA DPKG
- Using your preferred FTP/HTTP client to retrieve the following
updated files from Progeny’s update archive at:
http://archive.progeny.com/pub/progeny/updates/newton/
Filename MD5 Checksum
http://ssh_2.5.2p2-0progeny1_i386.deb c64fdf411514850f3854a6395c5e178c
Example:
# wget
http://archive.progeny.com/progeny/updates/newton/ssh_2.5.2p2-0progeny1_i386.deb
2. Use the md5sum command on the retrieved file to verify that
it matches
the md5sum provided in this advisory:
Example:
# md5sum ssh_2.5.2p2-0progeny1_i386.deb
3. Then install the replacement package(s) using the dpkg
command.
Example:
# dpkg –install ssh_2.5.2p2-0progeny1_i386.deb
MORE INFORMATION
There is no more information available at this time.
pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com>