Helsinki, Finland -
June 30, 2003
SSH Secure Shell 3.1 to 3.2.4 and SSH IPSEC Express Toolkit 5.0.0 RSA signature verification vulnerability
Security Advisory regarding RSA signature verification vulnerability in SSH Secure Shell product family versions 3.1.0 to 3.1.7 and 3.2.0 to 3.2.4 and SSH IPSEC Express Toolkit version 5.0.0.
Certain RSA signatures might be incorrectly verified in host or user authentication including digital certificates when RSA keys are used. This issue affects the RSA PKCS v1.5 signature scheme.
In SSH Secure Shell products server authentication is affected and in user authentication public-key authentication and also host-based authentication. Other user authentication methods for example password, RSA SecurID or keyboard-interactive authentication methods are not vulnerable.
certain invalid RSA signatures could be incorrectly verified. This opens up the possibility that an attacker who is not in possession of an RSA private key may be able to forge signatures, while only knowing the corresponding public key. In practice and to the best of our knowledge, it is very difficult to forge such a signature.
which looks like a real signature in at least the 68 most significant
bits. Namely, after the verifier performs the RSA public key
exponentiation on the signature buffer, the resulting buffer must have
valid PKCS v1.5 padding and ASN.1 structure, otherwise the signature
will be correctly signalled as invalid and authentication will fail.
Based on our initial analysis, the only practical way to construct such
a forgery is by using brute force methods, which requires roughly 267
RSA computations, rendering the attack impractical.
Customers may download the SSH Secure Shell update from the Updates and Packages at Download Section. A valid license_ssh2.dat is required for all the binaries. Depending on your license file the Unix binaries will function as SSH Secure Shell for Workstations or SSH Secure Shell for Servers product. If you wish to obtain a license file, please visit our online store or contact your sales representative.
Updating SSH Secure Shell from 3.1.x to 3.1.8
If you have a commercial license for a 3.1.x product, you can install the 3.1.8 version binaries on top of the old 3.1.x ones.
Updates and Packages
SSH Secure Shell for Workstations 3.1
SSH Secure Shell for Servers 3.1
SSH Secure Shell for Windows Servers 3.1
Updating SSH Secure Shell from 3.2.x to 3.2.5
If you have a commercial license for a 3.2.x product, you can install the 3.2.5 version binaries on top of the old 3.2.x ones.
Updates and Packages
SSH Secure Shell for Workstations 3.2
SSH Secure Shell for Servers 3.2
SSH Secure Shell for Windows Servers 3.2
Non-commercial users
Only non-commercial source code and English Windows client binary without PKI and smart card functionality are available for the non-commercial users. No license.dat file is required for the non-commercial versions available at
ftp://ftp.ssh.com/pub/ssh/
Please see the list of available mirror sites.
Certain RSA signatures might be incorrectly verified in host or user authentication including digital certificates when RSA keys are used. This issue affects the RSA PKCS v1.5 signature scheme.
In SSH Secure Shell products server authentication is affected and in user authentication public-key authentication and also host-based authentication. Other user authentication methods for example password, RSA SecurID or keyboard-interactive authentication methods are not vulnerable.
Affected Systems
SSH Secure Shell for Servers, SSH Secure Shell for Workstations, and SSH Secure Shell for Windows Servers versions 3.1.0 - 3.1.7 and 3.2.0 - 3.2.4. SSH IPSEC Express Toolkit version 5.0.0. The vulnerability affects all Unix and Windows platforms.Description of the Vulnerability
Incorrect error reporting in the code path may make it possible thatcertain invalid RSA signatures could be incorrectly verified. This opens up the possibility that an attacker who is not in possession of an RSA private key may be able to forge signatures, while only knowing the corresponding public key. In practice and to the best of our knowledge, it is very difficult to forge such a signature.
Risk of Exploit
To successfully forge a signature, the attacker must construct a bufferwhich looks like a real signature in at least the 68 most significant
bits. Namely, after the verifier performs the RSA public key
exponentiation on the signature buffer, the resulting buffer must have
valid PKCS v1.5 padding and ASN.1 structure, otherwise the signature
will be correctly signalled as invalid and authentication will fail.
Based on our initial analysis, the only practical way to construct such
a forgery is by using brute force methods, which requires roughly 267
RSA computations, rendering the attack impractical.
Description of the fix
In SSH Secure Shell 3.1.8 and 3.2.5 and in SSH IPSEC Express Toolkit 5.1.1 the error handling was corrected.Solution to the problem for SSH Secure Shell
Update to SSH Secure Shell version 3.1.8 or 3.2.5 that contains the fix for this vulnerability.Customers may download the SSH Secure Shell update from the Updates and Packages at Download Section. A valid license_ssh2.dat is required for all the binaries. Depending on your license file the Unix binaries will function as SSH Secure Shell for Workstations or SSH Secure Shell for Servers product. If you wish to obtain a license file, please visit our online store or contact your sales representative.
Updating SSH Secure Shell from 3.1.x to 3.1.8
If you have a commercial license for a 3.1.x product, you can install the 3.1.8 version binaries on top of the old 3.1.x ones.
Updates and Packages
SSH Secure Shell for Workstations 3.1
SSH Secure Shell for Servers 3.1
SSH Secure Shell for Windows Servers 3.1
Updating SSH Secure Shell from 3.2.x to 3.2.5
If you have a commercial license for a 3.2.x product, you can install the 3.2.5 version binaries on top of the old 3.2.x ones.
Updates and Packages
SSH Secure Shell for Workstations 3.2
SSH Secure Shell for Servers 3.2
SSH Secure Shell for Windows Servers 3.2
Non-commercial users
Only non-commercial source code and English Windows client binary without PKI and smart card functionality are available for the non-commercial users. No license.dat file is required for the non-commercial versions available at
ftp://ftp.ssh.com/pub/ssh/
Please see the list of available mirror sites.
Solution to the problem for SSH IPSEC Express Toolkit
Upgrade to SSH IPSEC Express Toolkit version 5.1.1 that contains the fix for this vulnerability or apply the patch provided for SSH IPSEC Express Toolkit version 5.0.0 customers.SSH Communications Security Corp is committed to utmost security
SSH Communications Security apologizes for any inconvenience caused. We take security of the systems of our customers very seriously and do our utmost to provide secure software. We strongly urge all customers to consider the implications of this vulnerability carefully and to make an educated decision on whether or not to update/upgrade.SSH Corp. Contact
George Adams
SSH Communications Security Corp.
Tel: +1 781 247 2100
E-mail: 
Americas Contact
Byron Rashed
SSH Communications Security, Inc.
Tel: +1 650 251 2721
E-mail: 
Europe Contact
Bo Sorensen
SSH Communications Security Corp.
Tel: +358 20 500 7404
E-mail: 
Investor Relations
Mika Peuranen
SSH Communications Security Corp.
Tel: +358 20 500 7419
E-mail: 
U.S. Agency Contact
Cheryl Seaberg
Walt & Company
Tel: +1 408 496 0900 x 2981
E-mail: 
© 2003 SSH Communications Security Corp. All rights reserved. ssh® is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions. All other names and marks are property of their respective owners.