Attachmate Security Update for CSIRTUK Vulnerability #CPNI-957: Plaintext Recovery Attack Against SSH

  • 7022040
  • 21-Nov-2008
  • 02-Mar-2018

Environment

Reflection 2014
Reflection Pro 2014
Reflection for IBM 2014
Reflection for IBM 2011
Reflection for IBM version 10.0 through 14.0 SP6
Reflection for UNIX and OpenVMS 2014
Reflection for UNIX and OpenVMS 2011
Reflection for UNIX and OpenVMS version 10.0 through 14.0 SP6
Reflection Standard Suite 2011
Reflection for the Multi-Host Enterprise Professional Edition version 10.0 through 14.0 SP6
Reflection for the Multi-Host Enterprise Standard Edition version 10.0 through 14.0 SP6
Reflection X 2014
Reflection X 2011
Reflection Suite for X 2011
Reflection X Advantage version 2.0 or higher
Reflection X version 10.0 through 14.0 SP6
Reflection Suite for X version 10.0 through 14.0 SP6
Reflection for HP version 10.0 through 14.0 SP6
Reflection FTP Client version 10.0 through 14.0 SP6
Reflection for the Web 2014 (All Editions)
Reflection for the Web 2011 (All Editions)
Reflection for the Web 2008 (All Editions)
Reflection for the Web version 6.0 through 9.6
EXTRA! X-treme version 8.0 through 9.x
INFOConnect version 7.5 or higher
Reflection for Secure IT UNIX Client version 6.0 through 7.0 SP1
Reflection for Secure IT UNIX Server version 6.0 through 7.0 SP1
Reflection for Secure IT Windows Client version 6.0 through 7.0 SP1
Reflection for Secure IT Windows Server version 6.0 through 7.0 SP1

Situation

This technical note describes a design flaw in the SSH protocol use of block ciphers in cipher block chaining mode; lists the affected Attachmate products; and provides solutions and workaround options to address the vulnerability.

Resolution

Vulnerability Details

A design flaw in the SSH protocol use of block ciphers in cipher block chaining (CBC) mode (as specified in IETF RFC 4253) could allow a man-in-the-middle attacker to recover up to four bytes of plaintext per connection. Although the severity of the attack is considered high, the likelihood of a successful attack is considered low, as this attack would result in repeatedly terminating the user’s SSH connection.

For details, see the US-CERT web site at http://www.kb.cert.org/vuls/id/958563.

Because this flaw is in the design of the protocol, the CSIRTUK reports states that they “expect any RFC-compliant SSH implementation to be vulnerable to some form of the attack.”

Products Not Affected When Using Counter-mode Ciphers

Beginning in the versions listed, the following Attachmate products are not affected by this vulnerability when configured to use counter-mode ciphers:

Reflection 2014
Reflection Pro 2014
Reflection for IBM 2014
Reflection X 2014
Reflection for UNIX and OpenVMS 2014
Reflection Standard Suite 2011
Reflection Standard Suite 2008 R1 SP1
Reflection for IBM 2011
Reflection for IBM 2008 R1 SP1
Reflection for IBM 2007 (Reflection FTP Component when using SFTP)
Reflection for UNIX and OpenVMS 2011
Reflection for UNIX and OpenVMS 2008 R1 SP1
Reflection for IBM version 14.0 SP6 (Reflection FTP component when using SFTP)
Reflection for UNIX and OpenVMS 14.0 SP6
Reflection for the Multi-Host Enterprise Professional Edition version 14.0 SP6
Reflection for the Multi-Host Enterprise Standard Edition version 14.0 SP6
Reflection X 2011
Reflection Suite for X 2011
Reflection X version 14.0 SP6
Reflection Suite for X version 14.0 SP6
Reflection X Advantage 2.0
Reflection for HP 14.0 SP6
Reflection FTP Client version 14.0 SP6
Reflection for the Web 2008 R3
Reflection for Secure IT Windows Client and Server 7.1
Reflection for Secure IT Windows Server 6.1 SP2, SP3, SP4
Reflection for Secure IT UNIX Client and Server 7.1
Reflection for Secure IT UNIX Client and Server 7.0 SP1
Reflection for Secure IT UNIX Client and Server 6.1 SP2, SP3, SP4
FileXpress Internet Server 7.0

Products Not Affected When Using the Arcfour Cipher

The arcfour128 and arcfour256 ciphers are not subject to this vulnerability, nor the initial cipher stream arcfour vulnerability. Beginning in the versions listed, the following Attachmate products support these arcfour ciphers:

Reflection 2014
Reflection Pro 2014
Reflection for IBM 2014
Reflection X 2014
Reflection for UNIX and OpenVMS 2014
Reflection Standard Suite 2011
Reflection Standard Suite 2008 R1 SP1
Reflection for IBM 2011
Reflection for IBM 2008 R1 SP1
Reflection for IBM 2007 (Reflection FTP Component when using SFTP)
Reflection for UNIX and OpenVMS 2011
Reflection for UNIX and OpenVMS 2008 R1 SP1
Reflection for IBM version 14.0.6 (Reflection FTP component when using SFTP)
Reflection for UNIX and OpenVMS 14.0 SP6
Reflection for the Multi-Host Enterprise Professional Edition version 14.0 SP6
Reflection for the Multi-Host Enterprise Standard Edition version 14.0 SP6
Reflection X 2011
Reflection Suite for X 2011
Reflection X version 14.0 SP6
Reflection Suite for X version 14.0 SP6
Reflection for HP 14.0 SP6
Reflection FTP Client version 14.0 SP6
Reflection for Secure IT Windows Client and Server 7.1
Reflection for Secure IT UNIX Client and Server 7.1

Products Affected When Using CBC-mode Block Ciphers

All products and versions listed in the Applies To section of this note are affected by this vulnerability when configured to use CBC-mode block ciphers.

Workaround Options

The primary recommended workaround is to use counter-mode ciphers (CTR) where supported, instead of CBC-mode block ciphers.

Many of the affected products listed in the Applies To section of this note do not support CTR. Attachmate has been incorporating updates into newer releases of the affected products to support the CTR workaround (as reflected in the "Not Affected" lists above, and the update details below), and plans to continue that practice.

To further secure your SSH servers, you can configure the AllowHosts and DenyHosts ACLs to prevent connections from clients in untrusted networks. In Reflection for Secure IT Windows Server 7.0 or higher, you can also configure IP Blocking (on the Authentication pane) to lock out repeated failed connection attempts. IP blocking applies only to password authentication (both traditional and Keyboard Interactive). Note: If you disable password authentication or Keyboard Interactive authentication, then IP Blocking no longer applies.

Finally, configuring SSH servers for user authentication methods that do not require passwords to be sent across the wire (specifically, the "password" and "password over keyboard-interactive" methods) reduces the chance of compromising user accounts.

Specific Product Solutions

Product updates are available to correct this vulnerability for some affected Attachmate applications. Maintained customers can obtain product updates from the Attachmate Download Library as directed below. For those products where an update is not yet available (products not listed below), please refer to Workaround Options.

Reflection 2014 and 2011

In addition to offering AES counter-mode ciphers in Reflection 2014 and Reflection 2011 products (including Reflection Pro 2014, Reflection X 2014, Reflection X 2011 and Reflection Suite for X 2011), we also prevent premature disconnection during password or keyboard-interactive authentication to avoid the plaintext recovery attack against CBC ciphers vulnerability and disclosing sensitive authentication data, such as passwords.

Reflection 2008 Products R1 Service Pack 1

This vulnerability does not affect the following versions when either AES counter-mode ciphers (aes128-ctr, aes192-ctr or aes256-ctr), arcfour128, or arcfour256 are explicitly enabled.

Reflection Standard Suite 2008 R1 Service Pack 1 or higher
Reflection for IBM 2008 R1 Service Pack 1 or higher (Reflection FTP Component when using SFTP)
Reflection for UNIX and OpenVMS 2008 R1 Service Pack 1 or higher

Reflection for the Web 2014, 2011, and 2008 R3

In Reflection for the Web 2014, Reflection for the Web 2011, and Reflection for the Web 2008 R3, this vulnerability does not affect this product when AES counter-mode ciphers (aes128-ctr, aes192-ctr or aes256-ctr) are explicitly enabled.

Reflection 14.1

In addition to continuing to offer AES counter-mode ciphers in Reflection 14.1 products, we now prevent premature disconnection during password or keyboard-interactive authentication to avoid the plaintext recovery attack against CBC ciphers vulnerability and disclosing sensitive authentication data, such as passwords.

Reflection 14.0 Service Pack 6 or Higher

Beginning in the versions listed, this vulnerability does not affect the following products when either AES counter-mode ciphers (aes128-ctr, aes192-ctr or aes256-ctr), arcfour128, or arcfour256 are explicitly enabled.

Reflection for IBM version 14.0 SP6 (Reflection FTP Component when using SFTP)
Reflection for UNIX and OpenVMS 14.0 SP6
Reflection for the Multi-Host Enterprise Professional Edition version 14.0 SP6
Reflection for the Multi-Host Enterprise Standard Edition version 14.0 SP6
Reflection X version 14. SP6
Reflection Suite for X version 14.0 SP6
Reflection for HP 14.0 SP6
Reflection FTP Client version 14.0 SP6

Reflection for Secure IT Windows Server

This vulnerability does not affect the following versions when either AES counter-mode ciphers (aes128-ctr, aes192-ctr or aes256-ctr), arcfour128*, or arcfour256* are explicitly enabled.

Reflection for Secure IT Windows Server 7.1 or higher
Reflection for Secure IT Windows Server 6.1 SP2, SP3, SP4**

* Available beginning in version 7.1.

** This version is now in the Retired phase of the Product Support Lifecycle. (Service Packs are not available for Retired product versions.) If you have an earlier version of 6.x, upgrade to 7.1 or higher, which is available from the Attachmate Download Library.

Note the following:

  • The server supports the counter-mode and arfour128/256 ciphers by default, but SSH clients must be configured to propose the counter-mode or arcfour128/256 ciphers, prior to any other ciphers.
  • For more information about the current version of Reflection for Secure IT Windows Server, see KB 7022018.
  • For more information about the Product Support Lifecycle, see http://support.microfocus.com/programs/lifecycle/.

Reflection for Secure IT UNIX Client or UNIX Server

This vulnerability does not affect the following versions when either AES counter-mode ciphers (aes128-ctr, aes192-ctr or aes256-ctr), arcfour128*, or arcfour256* are explicitly enabled.

Reflection for Secure IT UNIX Server 7.1 or higher
Reflection for Secure IT UNIX Server 7.0 SP1 or higher
Reflection for Secure IT UNIX Server 6.1 SP2, SP3, SP4**

* Available beginning in version 7.1.

** This version is now in the Retired phase of the Product Support Lifecycle. (Service Packs are no longer available on the Support site for Retired product versions.) If you have an earlier version of 6.x, upgrade to 7.0 SP1 or higher, or 7.1 or higher, which are available from the Attachmate Download Library.

Note the following:

  • The server supports the counter-mode and arfour128/256 ciphers by default, but SSH clients must be configured to propose the counter-mode or arcfour128/256 ciphers, prior to any other ciphers.
  • For more information about the current version of Reflection for Secure IT Windows Server, see KB 7021943.
  • For more information about the Product Support Lifecycle, see http://support.microfocus.com/programs/lifecycle/.

Important Security Note

The security for all of the Reflection products using the Reflection security features depends upon the security of the operating system, host, and network environment. Attachmate strongly recommends that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers.

Status

Security Alert

Additional Information

Legacy KB ID

This article was originally published as Attachmate technical note 2398.