"The flaw, which lies in version 4.7 of OpenSSH on Debian/GNU Linux,
allows 32 bits of encrypted text to be rendered in plaintext, according
to a research team from the Royal Holloway Information Security Group
(ISG).
An attacker has a 2^{-18} (that is, one in 262,144) chance of
success. ISG lead professor Kenny Patterson told ZDNet UK last Monday
that the flaw was more significant than previous vulnerabilities in
OpenSSH.
"This is a design flaw in OpenSSH," said Patterson. "The other vulnerabilities have been more about coding errors."
According to Patterson, a man-in-the-middle attacker could sit
on a network and grab blocks of encrypted text as they are sent from
client to server. By re-transmitting the blocks to the server, an
attacker can work out the first four bytes of corresponding plaintext.
The attacker can do this by counting how many bytes the attacker sends
until the server generates an error message and tears down the
connection, then working backwards to deduce what was in the OpenSSH
encryption field before encryption.
The attack relies on flaws in the RFC (Request for Comments) internet standards that define SSH, said Patterson.
Patterson gave a talk on Monday at the IEEE Symposium on
Security and Privacy in California to explain his group's research
findings. The three ISG academics involved in the research were
Patterson, Martin Albrecht and Gaven Watson."
