News

CERT reference number VU#845620

A new vulnerability related to RSA signature verification has been discovered in the SSH Tectia Client, Connector, Server and Manager products. The vulnerability can be exploited in environments, where Secure Shell keys are generated or signed with third-party tools that allow creating insecure RSA keys.

DESCRIPTION

When an RSA key with exponent three (3) is used for authenticating Secure Shell connections, it is possible to forge PKCS#1 signatures due to a programming error in the signature verification code of the SSH Tectia products.

Potential exploit requires that a Secure Shell user, host, or a signing authority that issues certificates (CA) or revocation information (CA or OCSP responder) holds an RSA signing key with exponent 3. An attacker with access to such key, can forge signatures so that SSH Tectia Client / Connector / Server will incorrectly verify signatures as genuine. This enables impersonation of the legitimate key holder or modification of revocation information signed by the key holder.

SSH Tectia products never generate RSA keys with exponent 3. As a result, environments where all keys are created with SSH Tectia, are not vulnerable. RSA keys with exponent 3 are not commonly created with third-party implementations either and the proposed FIPS 186-3 standard does not allow use of such keys.

CERT Coordination Center's advisory can be found at http://www.kb.cert.org/vuls/id/845620

AFFECTED PRODUCTS

The following products are affected:

• SSH Tectia Client/Server/Connector 5.1.0
  
• SSH Tectia Client/Server/Connector 5.0.0 to 5.0.2
  
• SSH Tectia Client/Server/Connector 4.0.0 to 4.4.6
  
• SSH Tectia Client version 4.3.9K (and older Korean versions)
  
• SSH Tectia Client version 4.3.2J (and older Japanese versions)
  
• SSH Tectia Server for IBM z/OS 5.1.0 and older
  
• SSH Tectia Server for IBM z/OS 5.2.0
  
• SSH Tectia Manager 2.2.0
  
• SSH Tectia Manager 2.1.3 and older

FIX

Vulnerable systems should immediately be updated to product versions that have the fix. The fix does not prevent usage of exponent 3 keys but eliminates the possibility of RSA signature forgery. The fix is included in the following product versions:

• SSH Tectia Server/Client 5.1.1
  
• SSH Tectia Server/Client/Connector 5.0.3
  
• SSH Tectia Server/Client/Connector 4.4.7
  
• SSH Tectia Client 4.3.10K
  
• SSH Tectia Client 4.3.3J
  
• SSH Tectia Server for IBM z/OS 5.1.1
  
• SSH Tectia Server for IBM z/OS 5.2.1
  
• SSH Tectia Manager 2.2.1
  
• SSH Tectia Manager 2.1.4

If you have a valid license file for one of the above product versions, you can get the updated package from:

http://www.ssh.com/support/downloads/



SSH Communications Security apologizes for any inconvenience that this vulnerability may have caused. We take security of the systems of our customers very seriously and do our utmost to provide secure software with minimum defects. We strongly urge all customers to consider the implications of this vulnerability carefully and to make an educated decision on whether or not to update.