Newsletter IconFacebook IconX IconThreads IconInstagram IconYouTube IconPinterest Icon
Giveaway: Win an ASRock B850 Riptide WiFi and Phantom Gaming PG-850G PSU

Flaw in OpenSSH could compromise data

Insecurity strikes again.

Comments
TweakTown
Published
Updated
1 minute & 15 seconds read time
Voice: Default
0:00 / --:--
Use left and right arrow keys to seek audio.

A critical flaw in the OpenSSH standard has been fully disclosed by a team of researchers at the Royal Holloway, University of London.

The flaw lays in the ability of an attacker for force certain parts of the encryption sequence into plain text. They can force up to 32 bit of text out into the clear. The chances of this are slim but are still there and represent vulnerability for any highly sensitive information or data.

The attack uses flaws in the RFC (request for comment) standard that makes up OpenSSH. This problem was first disclosed in November 2008 but not all the details were made public.

The issue can be protected against by using AES in CTR mode instead of CBC (Cipher-Block Chaining Mode). The flaw is open in OpenSSH 4.7, Version 5.2 introduces counter measures against the flaw but does not actually correct the flaw.


Read more here.

Flaw in OpenSSH could compromise data



According to Paterson, a man-in-the-middle attacker could sit on a network and grab blocks of encrypted text as they are sent from client to server. By retransmitting the blocks to the server, an attacker can work out the first four bytes of corresponding plaintext. The attacker can do this by counting how many bytes the attacker sends until the server generates an error message and tears down the connection, then working backward to deduce what was in the OpenSSH encryption field before encryption.

The attack relies on flaws in the RFC (Request for Comments) Internet standards that define SSH, said Paterson.

Paterson gave a talk on Monday at the IEEE Symposium on Security and Privacy in Oakland, Calif., to explain his group's research findings. The three ISG academics involved in the research were Paterson, Martin Albrecht, and Gaven Watson.

Comments

Stay Updated

Follow TweakTown for breaking tech news, reviews, and daily updates.

Add TweakTown as a preferred source on GoogleFind TweakTown on Apple News
Newsletter Subscription