7.8 - VU#178990

Executive Summary

Summary
Title	Erlang/OTP SSH library uses a weak random number generator

Informations
Name	VU#178990	First vendor Publication	2011-05-25
Vendor	VU-CERT	Last vendor Modification	2011-05-25
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:N/A:N)
Cvss Base Score	7.8	Attack Range	Network
Cvss Impact Score	6.9	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#178990

Erlang/OTP SSH library uses a weak random number generator

Overview

The Erlang/OTP SSH library's random number generator is not cryptographically strong because it relies on predictable seed material.

I. Description

Geoff Cant's report states:

The Erlang/OTP ssh library implements a number of cryptographic operations that depend on cryptographically strong random numbers. Unfortunately the RNG used by the library is not cryptographically strong, and is further weakened by the use of predictable seed material. The RNG (Wichman-Hill) is not mixed with an entropy source.

The seed used for all ssh connections in the library is the current time (to approximately microsecond resolution). By observing the time a connection from this library is established, the first two components of the three RNG seed can be guessed.The third component can be recovered by brute-force; trying each possible value (1..1000000).

Guessing the exact seed is made easier by the 16 byte random session cookie that the library will send in its plaintext kexinit message. This cookie will be bytes 17-32 of the RNG sequence.

Once the session RNG seed is recovered, an attacker can simply perform the same DH key exchange operation as the SSH library and recover the session secret. Additionally, if the ssh library is used on the server side of the connection and DSA host key is used, the private key can be recovered from the kex_dh messages. The secret signing value k is known from the RNG seed (bytes 170 - 190 of the sequence), so with the public DSA key data in the kex_dh_reply message the private part can be recovered by inverting the signature operation.

II. Impact

An attacker can recover SSH session keys and DSA host keys.

III. Solution

Apply an Update

A patch has been committed for issue "ssh 2.0.5 OTP 9225" to the Erlang/OTP source that remediates the vulnerability. All SSH DSA keys used with the vulnerable library should be changed. Any password or secret sent over a connection that used the vulnerable library should be changed as well.

Erlang/OTP R14B03 is the first official release to address this vulnerability. Users that don't apply the patch should upgrade to R14B03 or later.

Vendor Information

Vendor	Status	Date Notified	Date Updated
Ericsson	Affected		2011-04-22

References

https://github.com/erlang/otp/commit/f228601de45c5b53241b103af6616453c50885a5
http://www.erlang.org/
http://www.erlang.org/download.html

Credit

Thanks to Geoff Cant for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Date Public:	2011-05-25
Date First Published:	2011-05-25
Date Last Updated:	2011-05-25
CERT Advisory:
CVE-ID(s):	CVE-2011-0766
NVD-ID(s):	CVE-2011-0766
US-CERT Technical Alerts:
Severity Metric:	2.74
Document Revision:	14

Original Source

Url : http://www.kb.cert.org/vuls/id/178990

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-310	Cryptographic Issues

CPE : Common Platform Enumeration

Type	Description	Count
Application	Erlang Crypto cpe:2.3:a:erlang:crypto:2.0.2:::::::* cpe:2.3:a:erlang:crypto:2.0.1:::::::* cpe:2.3:a:erlang:crypto:2.0:::::::* cpe:2.3:a:erlang:crypto:1.6.4:::::::* cpe:2.3:a:erlang:crypto:1.6.3:::::::* cpe:2.3:a:erlang:crypto:1.6.2:::::::* cpe:2.3:a:erlang:crypto:1.6.1:::::::* cpe:2.3:a:erlang:crypto:1.6:::::::* cpe:2.3:a:erlang:crypto:1.5.3:::::::* cpe:2.3:a:erlang:crypto:1.5.2.1:::::::* cpe:2.3:a:erlang:crypto:1.5.2:::::::* cpe:2.3:a:erlang:crypto:1.5.1.1:::::::* cpe:2.3:a:erlang:crypto:1.5:::::::* cpe:2.3:a:erlang:crypto:1.4:::::::* cpe:2.3:a:erlang:crypto:1.3:::::::* cpe:2.3:a:erlang:crypto:1.2.3:::::::* cpe:2.3:a:erlang:crypto:1.2.2:::::::* cpe:2.3:a:erlang:crypto:1.2.1:::::::* cpe:2.3:a:erlang:crypto:1.2:::::::* cpe:2.3:a:erlang:crypto:1.1.3:::::::* cpe:2.3:a:erlang:crypto:1.1.2:::::::* cpe:2.3:a:erlang:crypto:1.1.1:::::::* cpe:2.3:a:erlang:crypto:1.1:::::::* cpe:2.3:a:erlang:crypto:1.0:::::::*	24
Application	Erlang Erlang/Otp cpe:2.3:a:erlang:erlang/otp:r14b02:::::::* cpe:2.3:a:erlang:erlang/otp:r14b01:::::::* cpe:2.3:a:erlang:erlang/otp:r14b:::::::* cpe:2.3:a:erlang:erlang/otp:r14a:::::::* cpe:2.3:a:erlang:erlang/otp:r13b04:::::::* cpe:2.3:a:erlang:erlang/otp:r13b03:::::::* cpe:2.3:a:erlang:erlang/otp:r13b02-1:::::::* cpe:2.3:a:erlang:erlang/otp:r13b:::::::* cpe:2.3:a:erlang:erlang/otp:r12b-5:::::::* cpe:2.3:a:erlang:erlang/otp:r11b-5:::::::*	10
Application	Ssh cpe:2.3:a:ssh:ssh:1.2.9:::::::* cpe:2.3:a:ssh:ssh:1.2.8:::::::* cpe:2.3:a:ssh:ssh:1.2.7:::::::* cpe:2.3:a:ssh:ssh:1.2.6:::::::* cpe:2.3:a:ssh:ssh:1.2.5:::::::* cpe:2.3:a:ssh:ssh:1.2.4:::::::* cpe:2.3:a:ssh:ssh:1.2.31:::::::* cpe:2.3:a:ssh:ssh:1.2.30:::::::* cpe:2.3:a:ssh:ssh:1.2.3:::::::* cpe:2.3:a:ssh:ssh:1.2.29:::::::* cpe:2.3:a:ssh:ssh:1.2.28:::::::* cpe:2.3:a:ssh:ssh:1.2.27:::::::* cpe:2.3:a:ssh:ssh:1.2.26:::::::* cpe:2.3:a:ssh:ssh:1.2.25:::::::* cpe:2.3:a:ssh:ssh:1.2.24:::::::* cpe:2.3:a:ssh:ssh:1.2.23:::::::* cpe:2.3:a:ssh:ssh:1.2.22:::::::* cpe:2.3:a:ssh:ssh:1.2.21:::::::* cpe:2.3:a:ssh:ssh:1.2.20:::::::* cpe:2.3:a:ssh:ssh:1.2.2:::::::* cpe:2.3:a:ssh:ssh:1.2.19:::::::* cpe:2.3:a:ssh:ssh:1.2.18:::::::* cpe:2.3:a:ssh:ssh:1.2.17:::::::* cpe:2.3:a:ssh:ssh:1.2.16:::::::* cpe:2.3:a:ssh:ssh:1.2.15:::::::* cpe:2.3:a:ssh:ssh:1.2.14:::::::* cpe:2.3:a:ssh:ssh:1.2.13:::::::* cpe:2.3:a:ssh:ssh:1.2.12:::::::* cpe:2.3:a:ssh:ssh:1.2.11:::::::* cpe:2.3:a:ssh:ssh:1.2.10:::::::* cpe:2.3:a:ssh:ssh:1.2.1:::::::* cpe:2.3:a:ssh:ssh:1.2.0:::::::* cpe:2.3:a:ssh:ssh::::::::	33

OpenVAS Exploits

Date	Description
2011-08-03	Name : FreeBSD Ports: erlang File : nvt/freebsd_erlang.nasl
2011-08-02	Name : Fedora Update for erlang FEDORA-2011-9598 File : nvt/gb_fedora_2011_9598_erlang_fc15.nasl
2011-08-02	Name : Fedora Update for erlang FEDORA-2011-9657 File : nvt/gb_fedora_2011_9657_erlang_fc14.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
73264	Erlang/OTP SSH Predictable Seed Insecure Random Number Generator Weakness

Nessus® Vulnerability Scanner

Date	Description
2011-08-01	Name : The remote Fedora host is missing a security update. File : fedora_2011-9598.nasl - Type : ACT_GATHER_INFO
2011-08-01	Name : The remote Fedora host is missing a security update. File : fedora_2011-9657.nasl - Type : ACT_GATHER_INFO
2011-05-26	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_e483392786e511e0a6b4000a5e1e33c6.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
CWE ID(s)	1
CPE ID(s)	67
osvdb(s)	1
Openvas Exploit(s)	3
Nessus® Exploit(s)	3

	Related
7.8	CVE-2011-0766
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)