CERTVU:178990Erlang/OTP SSH library uses a weak random number generator
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
0.002 Low
EPSS
Percentile
60.8%
Overview
The Erlang/OTP SSH libraryβs random number generator is not cryptographically strong because it relies on predictable seed material.
Description
Geoff Cantβs report states:
_The Erlang/OTP ssh library implements a number of cryptographic operations that depend on cryptographically strong random numbers. Unfortunately the RNG used by the library is not cryptographically strong, and is further weakened by the use of predictable seed material. The RNG (Wichman-Hill) is not mixed with an entropy source.
The seed used for all ssh connections in the library is the current time (to approximately microsecond resolution). By observing the time a connection from this library is established, the first two components of the three RNG seed can be guessed.The third component can be recovered by brute-force; trying each possible value (1β¦1000000).
Guessing the exact seed is made easier by the 16 byte random session cookie that the library will send in its plaintext kexinit message. This cookie will be bytes 17-32 of the RNG sequence._
_
Once the session RNG seed is recovered, an attacker can simply perform the same DH key exchange operation as the SSH library and recover the session secret. Additionally, if the ssh library is used on the server side of the connection and DSA host key is used, the private key can be recovered from the kex_dh messages. The secret signing value k is known from the RNG seed (bytes 170 - 190 of the sequence), so with the public DSA key data in the kex_dh_reply message the private part can be recovered by inverting the signature operation._
Impact
An attacker can recover SSH session keys and DSA host keys.
Solution
Apply an Update
A patch has been committed for issue βssh 2.0.5 OTP 9225β to the Erlang/OTP source that remediates the vulnerability. All SSH DSA keys used with the vulnerable library should be changed. Any password or secret sent over a connection that used the vulnerable library should be changed as well.
Erlang/OTP R14B03 is the first official release to address this vulnerability. Users that donβt apply the patch should upgrade to R14B03 or later.
Vendor Information
178990
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Ericsson Affected
Updated: April 22, 2011
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <https://github.com/erlang/otp/commit/f228601de45c5b53241b103af6616453c50885a5>
- <http://www.erlang.org/>
- <http://www.erlang.org/download.html>
Acknowledgements
Thanks to Geoff Cant for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
| CVE IDs: | CVE-2011-0766 |
|---|---|
| Severity Metric: | 2.74 Date Public: |
Related
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
0.002 Low
EPSS
Percentile
60.8%