|
|
|
Attachmate Security Update for CSIRTUK Vulnerability #CPNI-957: Plaintext Recovery Attack Against SSH
Technical Note 2398
Last Reviewed 04-Jun-2009
Applies To
Reflection for IBM 2008
Reflection for IBM 2007
Reflection for IBM version 10.0 through 14.0 SP6
Reflection for UNIX and OpenVMS 2008
Reflection for UNIX and OpenVMS version 10.0 through 14.0 SP6
Reflection Standard Suite 2008
Reflection for the Multi-Host Enterprise Professional Edition version 10.0 through 14.0 SP6
Reflection for the Multi-Host Enterprise Standard Edition version 10.0 through 14.0 SP6
Reflection X Advantage version 2.0
Reflection X 2008
Reflection X version 10.0 through 14.0 SP6
Reflection Suite for X version 10.0 through 14.0 SP6
KEA! X version 6.0 or higher
Reflection for HP version 10.0 through 14.0 SP6
Reflection FTP Client version 10.0 through 14.0 SP6
Reflection for the Web 2008 (All Editions)
Reflection for the Web version 6.0 through 9.6
EXTRA! X-treme version 8.0 through 9.x
myEXTRA! Enterprise version 7.1a or higher
INFOConnect version 7.5 or higher
Reflection for Secure IT UNIX Client version 6.0 through 7.0 SP1
Reflection for Secure IT UNIX Server version 6.0 through 7.0 SP1
Reflection for Secure IT Windows Client version 6.0 through 7.0 SP1
Reflection for Secure IT Windows Server version 6.0 through 7.0 SP1
F-Secure SSH Client for UNIX version 5.0
F-Secure SSH Server for UNIX version 5.0
F-Secure SSH Client for Windows version 5.4
F-Secure SSH Server for Windows version 5.x
Summary
Technical Note 2398
Last Reviewed 04-Jun-2009
Applies To
Reflection for IBM 2008
Reflection for IBM 2007
Reflection for IBM version 10.0 through 14.0 SP6
Reflection for UNIX and OpenVMS 2008
Reflection for UNIX and OpenVMS version 10.0 through 14.0 SP6
Reflection Standard Suite 2008
Reflection for the Multi-Host Enterprise Professional Edition version 10.0 through 14.0 SP6
Reflection for the Multi-Host Enterprise Standard Edition version 10.0 through 14.0 SP6
Reflection X Advantage version 2.0
Reflection X 2008
Reflection X version 10.0 through 14.0 SP6
Reflection Suite for X version 10.0 through 14.0 SP6
KEA! X version 6.0 or higher
Reflection for HP version 10.0 through 14.0 SP6
Reflection FTP Client version 10.0 through 14.0 SP6
Reflection for the Web 2008 (All Editions)
Reflection for the Web version 6.0 through 9.6
EXTRA! X-treme version 8.0 through 9.x
myEXTRA! Enterprise version 7.1a or higher
INFOConnect version 7.5 or higher
Reflection for Secure IT UNIX Client version 6.0 through 7.0 SP1
Reflection for Secure IT UNIX Server version 6.0 through 7.0 SP1
Reflection for Secure IT Windows Client version 6.0 through 7.0 SP1
Reflection for Secure IT Windows Server version 6.0 through 7.0 SP1
F-Secure SSH Client for UNIX version 5.0
F-Secure SSH Server for UNIX version 5.0
F-Secure SSH Client for Windows version 5.4
F-Secure SSH Server for Windows version 5.x
Summary
This technical note describes a design flaw in the SSH protocol use of block ciphers in cipher block chaining mode; lists the affected Attachmate products; and provides solutions and workaround options to address the vulnerability.
Vulnerability Details
A design flaw in the SSH protocol use of block ciphers in cipher block chaining (CBC) mode (as specified in IETF RFC 4253) could allow a man-in-the-middle attacker to recover up to four bytes of plaintext per connection. Although the severity of the attack is considered high, the likelihood of a successful attack is considered low, as this attack would result in repeatedly terminating the user’s SSH connection.
For details, see the Combined Security Incident Response Team - United Kingdom (CSIRTUK) advisory on the Centre for the Protection of National Infrastructure (CPNI) web site: http://www.cpni.gov.uk/Products/3716.aspx.
Because this flaw is in the design of the protocol, the CSIRTUK reports states that they “expect any RFC-compliant SSH implementation to be vulnerable to some form of the attack.”
Products Not Affected When Using Counter-mode Ciphers
The following list of Attachmate products and versions are not affected by this vulnerability when configured to use counter-mode ciphers:
Reflection Standard Suite 2008 R1 SP1
Reflection for IBM 2008 R1 SP1
Reflection for IBM 2007 (Reflection FTP Component when using SFTP)
Reflection for UNIX and OpenVMS R1 SP1
Reflection for Secure IT Windows Client and Server 7.1 or higher
Reflection for Secure IT Windows Server 6.1 SP2, SP3, SP4
Reflection for Secure IT UNIX Client and Server 7.1 or higher
Reflection for Secure IT UNIX Client and Server 7.0 SP1
Reflection for Secure IT UNIX Client and Server 6.1 SP2, SP3, SP4
Reflection for IBM version 14.0 SP6 (Reflection FTP component when using SFTP)
Reflection for UNIX and OpenVMS 14.0 SP6
Reflection for the Multi-Host Enterprise Professional Edition version 14.0 SP6
Reflection for the Multi-Host Enterprise Standard Edition version 14.0 SP6
Reflection X version 14.0 SP6
Reflection Suite for X version 14.0 SP6
Reflection X Advantage 2.0
Reflection for HP 14.0 SP6
Reflection FTP Client version 14.0 SP6
Reflection for IBM 2008 R1 SP1
Reflection for IBM 2007 (Reflection FTP Component when using SFTP)
Reflection for UNIX and OpenVMS R1 SP1
Reflection for Secure IT Windows Client and Server 7.1 or higher
Reflection for Secure IT Windows Server 6.1 SP2, SP3, SP4
Reflection for Secure IT UNIX Client and Server 7.1 or higher
Reflection for Secure IT UNIX Client and Server 7.0 SP1
Reflection for Secure IT UNIX Client and Server 6.1 SP2, SP3, SP4
Reflection for IBM version 14.0 SP6 (Reflection FTP component when using SFTP)
Reflection for UNIX and OpenVMS 14.0 SP6
Reflection for the Multi-Host Enterprise Professional Edition version 14.0 SP6
Reflection for the Multi-Host Enterprise Standard Edition version 14.0 SP6
Reflection X version 14.0 SP6
Reflection Suite for X version 14.0 SP6
Reflection X Advantage 2.0
Reflection for HP 14.0 SP6
Reflection FTP Client version 14.0 SP6
Products Not Affected When Using the Arcfour Cipher
The arcfour128 and arcfour256 ciphers are not subject to this vulnerability, nor the initial cipher stream arcfour vulnerability. The following list of Attachmate products and versions support these arcfour ciphers:
Reflection Standard Suite 2008 R1 SP1
Reflection for IBM 2008 R1 SP1
Reflection for IBM 2007 (Reflection FTP Component when using SFTP)
Reflection for UNIX and OpenVMS R1 SP1
Reflection for Secure IT Windows Client and Server 7.1 or higher
Reflection for Secure IT UNIX Client and Server 7.1 or higher
Reflection for IBM version 14.0.6 (Reflection FTP component when using SFTP)
Reflection for UNIX and OpenVMS 14.0 SP6
Reflection for the Multi-Host Enterprise Professional Edition version 14.0 SP6
Reflection for the Multi-Host Enterprise Standard Edition version 14.0 SP6
Reflection X version 14.0 SP6
Reflection Suite for X version 14.0 SP6
Reflection for HP 14.0 SP6
Reflection FTP Client version 14.0 SP6
Reflection for IBM 2008 R1 SP1
Reflection for IBM 2007 (Reflection FTP Component when using SFTP)
Reflection for UNIX and OpenVMS R1 SP1
Reflection for Secure IT Windows Client and Server 7.1 or higher
Reflection for Secure IT UNIX Client and Server 7.1 or higher
Reflection for IBM version 14.0.6 (Reflection FTP component when using SFTP)
Reflection for UNIX and OpenVMS 14.0 SP6
Reflection for the Multi-Host Enterprise Professional Edition version 14.0 SP6
Reflection for the Multi-Host Enterprise Standard Edition version 14.0 SP6
Reflection X version 14.0 SP6
Reflection Suite for X version 14.0 SP6
Reflection for HP 14.0 SP6
Reflection FTP Client version 14.0 SP6
Products Affected When Using CBC-mode Block Ciphers
All products and versions listed in the Applies To section of this note are affected by this vulnerability when configured to use CBC-mode block ciphers.
Workaround Options
The primary recommended workaround is to use counter-mode ciphers (CTR) where supported, instead of CBC-mode block ciphers.
Many of the affected products listed in the Applies To section of this note do not support CTR. Attachmate plans to make updates for current products available to maintained users that will address the issue by supporting the CTR workaround. More details will be published in this technical note when they are available.
To further secure your SSH servers, you can configure the AllowHosts and DenyHosts ACLs to prevent connections from clients in untrusted networks. In Reflection for Secure IT Windows Server 7.0 or higher, you can also configure IP Blocking (on the Authentication pane) to lock out repeated failed connection attempts. IP blocking applies only to password authentication (both traditional and Keyboard Interactive). Note: If you disable password authentication or Keyboard Interactive authentication, then IP Blocking no longer applies.
Finally, configuring SSH servers for user authentication methods that do not require passwords to be sent across the wire (specifically, the "password" and "password over keyboard-interactive" methods) reduces the chance of compromising user accounts.
Specific Product Solutions
Product updates are available to correct this vulnerability for some affected Attachmate applications. Maintained customers can obtain product updates from the Attachmate Download Library as directed below. For those products where an update is not yet available (products not listed below), please refer to Workaround Options.
Reflection 2008 Products R1 Service Pack 1
This vulnerability does not affect the following versions when either AES counter-mode ciphers (aes128-ctr, aes192-ctr or aes256-ctr), arcfour128, or arcfour256 are explicitly enabled.
Reflection Standard Suite 2008 R1 Service Pack 1
Reflection for IBM 2008 R1 Service Pack 1 (Reflection FTP Component when using SFTP)
Reflection for UNIX and OpenVMS R1 Service Pack 1
Reflection for IBM 2008 R1 Service Pack 1 (Reflection FTP Component when using SFTP)
Reflection for UNIX and OpenVMS R1 Service Pack 1
Reflection 14.0 Service Pack 6
This vulnerability does not affect the following versions when either AES counter-mode ciphers (aes128-ctr, aes192-ctr or aes256-ctr), arcfour128, or arcfour256 are explicitly enabled.
Reflection for IBM version 14.0 SP6 (Reflection FTP Component when using SFTP)
Reflection for UNIX and OpenVMS 14.0 SP6
Reflection for the Multi-Host Enterprise Professional Edition version 14.0 SP6
Reflection for the Multi-Host Enterprise Standard Edition version 14.0 SP6
Reflection X version 14. SP6
Reflection Suite for X version 14.0 SP6
Reflection for HP 14.0 SP6
Reflection FTP Client version 14.0 SP6
Reflection for UNIX and OpenVMS 14.0 SP6
Reflection for the Multi-Host Enterprise Professional Edition version 14.0 SP6
Reflection for the Multi-Host Enterprise Standard Edition version 14.0 SP6
Reflection X version 14. SP6
Reflection Suite for X version 14.0 SP6
Reflection for HP 14.0 SP6
Reflection FTP Client version 14.0 SP6
Reflection for Secure IT Windows Server
This vulnerability does not affect the following versions when either AES counter-mode ciphers (aes128-ctr, aes192-ctr or aes256-ctr), arcfour128*, or arcfour256* are explicitly enabled.
Reflection for Secure IT Windows Server 7.1 or higher
Reflection for Secure IT Windows Server 6.1 SP2, SP3, SP4**
Reflection for Secure IT Windows Server 6.1 SP2, SP3, SP4**
* Available beginning in version 7.1.
** This version is now in the Retired phase of the Product Support Lifecycle. (Service Packs are not available for Retired product versions.) If you have an earlier version of 6.x, upgrade to 7.1 or higher, which is available from the Attachmate Download Library.
Note the following:
- The server supports the counter-mode and arfour128/256 ciphers by default, but SSH clients must be configured to propose the counter-mode or arcfour128/256 ciphers, prior to any other ciphers.
- For more information about the current version of Reflection for Secure IT Windows Server, see Technical Note 2415.
- For more information about the Product Support Lifecycle, see http://support.attachmate.com/programs/lifecycle/.
Reflection for Secure IT UNIX Client or UNIX Server
This vulnerability does not affect the following versions when either AES counter-mode ciphers (aes128-ctr, aes192-ctr or aes256-ctr), arcfour128*, or arcfour256* are explicitly enabled.
Reflection for Secure IT UNIX Server 7.1 or higher
Reflection for Secure IT UNIX Server 7.0 SP1 or higher
Reflection for Secure IT UNIX Server 6.1 SP2, SP3, SP4**
Reflection for Secure IT UNIX Server 7.0 SP1 or higher
Reflection for Secure IT UNIX Server 6.1 SP2, SP3, SP4**
* Available beginning in version 7.1.
** This version is now in the Retired phase of the Product Support Lifecycle. (Service Packs are no longer available on the Support site for Retired product versions.) If you have an earlier version of 6.x, upgrade to 7.0 SP1 or higher, or 7.1 or higher, which are available from the Attachmate Download Library.
Note the following:
- The server supports the counter-mode and arfour128/256 ciphers by default, but SSH clients must be configured to propose the counter-mode or arcfour128/256 ciphers, prior to any other ciphers.
- For more information about the current version of Reflection for Secure IT Windows Server, see Technical Note 2414.
- For more information about the Product Support Lifecycle, see http://support.attachmate.com/programs/lifecycle/.
Important Security Note
The security for all of the Reflection products using the Reflection security features depends upon the security of the operating system, host, and network environment. Attachmate strongly recommends that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers.
