COMMAND

	OpenSSH\'s ssh-keysign weakness

SYSTEMS AFFECTED

	OpenSSH all releases depending on operating systems

PROBLEM

	Charles Hannum says :
	

	There  are  3  problems  we  observed  by   inspection   of   OpenSSH\'s
	ssh-keysign:
	

	1) [Charles Hannum] Since no blinding is done on the  RSA  calculations,
	ssh-keysign is effectively a fairly  efficient  oracle  for  mounting  a
	Kocher timing analysis attack on the host key(s).
	

	(Using OAEP padding -- per recent versions of PKCS1 --  would  not  only
	mitigate this  better,  but  would  also  mitigate  other  RSA  attacks.
	Unfortunately, this would require a change in the protocol.)
	

	2) [Bill Sommerfeld] There is a use-after-free bug; see:
	

	        if (valid_request(pw, host, &key, data, dlen) < 0)

	                fatal(\"not a valid request\");

	        xfree(data);

	        xfree(host);

	        ...

	        if (key_sign(keys[i], &signature, &slen, data, dlen) != 0)

	

	(This has already been fixed in the main OpenSSH tree.)
	

	3) [Charles Hannum] The protection of host keys is  not  very  good;  to
	wit:
	

	        key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);

	        key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);

	                        

	        seteuid(getuid());

	        setuid(getuid()); 

	

	Although current BSD systems  are  safe  (because  they  do  not  permit
	PTRACE_ATTACH, et al, on processes that  were  ever  set-id),  this  may
	permit direct reading of the host keys by users on other systems.

SOLUTION

	see above comments