Researchers find critical flaw in OpenSSH Client versions 5.7 to 8.3 that allows targeted MitM attacks using information leakage in SSH Clients
Security researchers from German security firm FZI have found a critical flaw in the OpenSSH Client version 5.7 to 8.3. The critical vulnerability in OpenSSH clients lies due to an information leak in the initial key exchange message of the SSH protocol.
OpenSSH Client is an SSH client is a program that allows users to establish a secure and authenticated SSH connections to SSH servers. The OpenSSH source code is available free to everyone via the Internet. The devs had released the OpenSSH Client version 8.3 on 27th May 2020. However, the security researchers from FZI say that even the newly released version is susceptible to MITM attack due to the flaw.
The OpenSSH Client flaw has Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). The OpenSSH Client vulnerability has been issued the identifier – CVE-2020-14145 and has a severity score of 4.7/10.
FZI says that any potential hacker can detect if an SSH client using the default configuration stores a host key for the target server. Once this is detected, the hacker can conduct a man-in-the-middle (MITM) attack on the clients that connect to a server for the first time and avoid clients that would show a warning because of a changed host key. Clients that connect to a server for the first time, ask the user to confirm the fingerprint of the host key. Users that compare the shown fingerprint by a known value are safe. However, many users rely on trust on first use and accept host keys without verification. These types of users are vulnerable to the MITM attack.
FZI states that they tested out their Proof of Concept in OpenSSH 8.2 and 8.3 portable and the tests showed that the host key algorithm list differs from the default list for all algorithm types that are not certificate-based, namely ECDSA, Ed25519, and RSA. This means that in the default configuration an attacker can identify users connecting to a server for the first time without false positives.
Proof of Concept
$ ./ssh-detect.py -r OpenSSH-8.2-init.pcap
Client Key Exchange Init 192.168.102.1:33580 -> 192.168.102.134:22
Host Key Algorithms:
Client Version: SSH-2.0-OpenSSH_8.2 (known)
Default algorithm list detected! Client doesn’t store host key.
FZI states that they notified the OpenSSH Client devs about the vulnerability but they have taken no action. However, the GitHub page of OpenSSH Client shows that devs are working on version 8.4. But it is not known whether the new version will patch the CVE-2020-14145 vulnerability.
Mitigation of the OpenSSH Client vulnerability
FZI says there are some configuration options in OpenSSH Client that can be used to mitigate the vulnerability. OpenSSH Client provides users alternative ways to validate host keys, namely SSHFP records and host certificates. These should be used if DNSSEC or a PKI are available. They can also enable UpdateHostKeys and set the option HostKeyAlgorithms after connecting to each server at least once.
You can download the FZI’s OpenSSH Client vulnerability report here(PDF).