Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Upgrade libssh (CVE-2016-0739)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Upgrade libssh (CVE-2016-0739)

=======================================================================

== Subject: Weakness in diffie-hellman secret key generation

== CVE ID#: CVE-2016-0739

== Versions: All versions of libssh 0.1 and later

== Summary: Due to a bug in the ephemeral secret key generation for
== the diffie-hellman-group1 and diffie-hellman-group14
== methods, ephemeral secret keys of size 128 bits are
== generated, instead of the recommended sizes of 1024 and

== 2048 bits, giving a practical security of 63 bits.

== This vulnerability could be exploited by an eavesdropper
== with enough resources to decrypt or intercept SSH
== sessions.

== No authentication is required.

=======================================================================

===========

Description

libssh versions 0.1 and above have a bits/bytes confusion bug and generate the
an anormaly short ephemeral secret for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods.
The resulting secret is 128 bits long, instead of the recommended sizes of 1024
and 2048 bits respectively. There are practical algorithms (Baby steps/Giant
steps, Pollard's rho) that can solve this problem in O(2^63) operations.

Both client and server are are vulnerable, pre-authentication.
This vulnerability could be exploited by an eavesdropper with enough resources
to decrypt or intercept SSH sessions.

The bug was found during an internal code review by Aris Adamantiadis of the
libssh team.

==================

Patch Availability

Patches addressing the issue have been posted to:

https://www.libssh.org/

libssh version 0.7.3 has been released to address this issue.

==========

Workaround

This issue may be worked around by using other key exchange methods, such as
[email protected] or ecdh-sha2-nistp256, both are not vulnerable.
By default, an unpatched libssh implementation will already attempt to use
these two more secure methods when supported by the other party.

=======

Credits

The bug was found during code review by Aris Adamantiadis.

Patches are provided by the libssh team.

==========================================================

== The libssh team

Thanked by 1Nihim

Comments

  • Is this Debian flavours only?

  • telephonetelephone Member
    edited February 2016

    @ATHK said:
    Is this Debian flavours only?

    No. I linked to the Debian security tracker because I prefer their interface for CVE's. If you go to the Debian links above, they provide links to other distributions (under "Source").

  • @telephone said:
    No. I linked to the Debian security tracker because I prefer their interface for CVE's. If you go to Debian links above, they provide links to other distributions (under "Source").

    Thanks, didn't see that small line.

  • Should you have configuration that does not accept Diffe-Hellman, this vulnerability does not affect you, though you should always keep up to date.

Sign In or Register to comment.