A minor problem has been discovered in the RSA signature handling functions of SSH Secure Shell and F-Secure SSH. Customers with a valid maintenance subscription should contact us for an upgraded version of SSH Secure Shell or F-Secure SSH that address the problem.
Problem
The handling of RSA signatures is faulty and may expose the users that use RSA keys with SSH Secure Shell or F-Secure SSH to a potential attack. Launching such an attack would be highly impractical and the risk is considered minor.
To conduct a successful attack, the attacker would need to have the public key and would need to pre-compute the signature data so that it looks like a valid PKCS#1signature. This is a non-trivial task to perform and according to analysis it requires a minimum of 267 RSA algorithm operations. Since the RSA algorithm is computationally fairly intensive, the time to undertake such an attack renders it impractical.
This problem however needs to be corrected by a maintenance release.
Fix
New versions of SSH Secure Shell that include the fix for the bug have been generated with version numbers 3.2.5 (for the 3.2 series) and 3.1.8 (for the 3.1 series).
The following versions of F-Secure SSH include the fix for the bug:
- F-Secure SSH Server for Unix 3.2.3 (CRITICAL UPDATE)
- F-Secure SSH Client for Unix 3.2.3
- F-Secure SSH Client for Windows 5.3
- F-Secure SSH Server for Windows 5.2, build 31 (CRITICAL UPDATE)
- F-Secure SSH Client/Server for Unix 1.3.14
Who is Affected
The discovered bug affects all RSA algorithm operations performed by SSH Secure Shell clients and servers for recent versions (3.1 and 3.2 series) and F-Secure SSH versions earlier than those listed above.
More precisely the affected scenarios are:
- Servers that use RSA keys as server hostkeys (not the defaultly used DSA keys)
- Cases where RSA keypairs are user for public key authentication for user authentication
- Cases where X.509 certificates (with RSA keys) are used for user authentication
- Cases where users of SSH Secure Shell clients connect to hosts that have RSA hostkeys
- Cases where hostbased authentication is used (when the SSH Secure Shell Server hostkeys are RSA keys)
SSH usage scenarios that are not affected:
- Cases where SSH servers use DSA keys (the default setting) for hostkeys, and password, hostbased authentication, RSA SecurID (or any user authentication method that does not involve the RSA algorithm)
In effect, most users and customers who run the SSH servers with default settings (ie. DSA host keys) and use password authentication need not worry. However, to be on the safe side it is suggested that they also consider upgrading.