Hackers can eavesdrop on some endpoints’ SSH connections and use the information flowing there to deduce the hosts’ private RSA keys, which can then be used to impersonate the device – a textbook example of a man-in-the-middle attack – but not steal login credentials.
These are the findings published in “Passive SSH Key Compromise via Lattices”, a new research paper published by Keegan Ryan, Kaiwen He, George Arnold Sullivan, and Nadia Heninger of the University of California, San Diego. For the uninitiated, Secure Shell (SSH) connections are remote encrypted connections established between the user’s endpoint and a server.
As per the report, as the SSH connection is being established, there is a very, very slight chance of computational errors. These errors can be observed and used to calculate the SSH server’s private host RSA key.
“Crappy” middleboxes affected
While the above might sound groundbreaking, other researchers, as well as the media, don’t sound too impressed. In its writeup, The Register stressed that software libraries OpenSSL and LibreSSL (and thus OpenSSH), are not known to be vulnerable to the method described in the paper. “That means, in our view, the vast majority of devices, servers, and other equipment on the internet are not at risk, and what you’re left with is some Internet-of-Things and similar embedded gear susceptible to attack. It also only affects RSA keys.”
Cybersecurity expert Thomas Ptacek wrote a summary on Ycombinator saying, among other things, that the only endpoints vulnerable to this method are “crappy middleboxes from Zyxel, Mocana, apparently a rare subset of Cisco devices, and whatever “SSH-2.0-SSHD” is (the authors don’t know either).”
Cisco said its ASA and FTD software fixed the issue a year ago, and that it was working on mitigations for IOS and IOS XE software even before the paper was published. Zyxel, on the other hand, said the method can only be used on firmware that reached end-of-life.
For those interested in learning more, the full 15-page paper can be found on this link.
