[arch-security] [ASA-201602-20] libssh2: man-in-the-middle
Levente Polyak
anthraxx at archlinux.org
Thu Feb 25 01:55:00 UTC 2016
Arch Linux Security Advisory ASA-201602-20
==========================================
Severity: High
Date : 2016-02-25
CVE-ID : CVE-2016-0787
Package : libssh2
Type : man-in-the-middle
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package libssh2 before version 1.7.0-1 is vulnerable to
man-in-the-middle.
Resolution
==========
Upgrade to 1.7.0-1.
# pacman -Syu "libssh2>=1.7.0-1"
The problem has been fixed upstream in version 1.7.0.
Workaround
==========
This issue may be worked around by using other key exchange methods,
such as curve25519-sha256 at libssh.org or ecdh-sha2-nistp256, both are not
vulnerable. By default, an unpatched libssh2 implementation will already
attempt to use these two more secure methods when supported by the other
party.
Description
===========
There is a bits/bytes confusion bug resulting in generation of a
significantly short ephemeral secret for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods. The resulting secret is 128
bits long, instead of the recommended sizes of 1024 and 2048 bits
respectively. There are practical algorithms (Baby steps/Giant steps,
Pollard's rho) that can solve this problem in O(2^63) operations.
Using such drastically reduced amount of random bits for Diffie Hellman
weakened the handshake security significantly. This vulnerability could
be exploited by an eavesdropper with enough resources to decrypt or
intercept SSH sessions.
Impact
======
A remote attacker is able to use this flaw to decrypt or intercept SSH
sessions.
References
==========
https://www.libssh2.org/adv_20160223.html
https://access.redhat.com/security/cve/CVE-2016-0787
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160225/3d8a289d/attachment.asc>
More information about the arch-security
mailing list