Vulnerability discovered in SSH specificationNovember 17, 2008 – 10:46 AM
According to the UK-based Centre for the Protection of National Infrastructure (CPNI), an error in the secure shell protocol (SSH) specification can in rare cases be exploited to reconstruct part of the plain text. According to their description of the error, the standard OpenSSH configuration allows 32 bits of plain text to be recovered from arbitrary points within the cipher text. In order to carry out a successful attack, the attacker must be able to observe the reaction of an SSH connection to various error states and be able to induce these error situations. The probability of a successful attack is, however, only 2-18. SSH connections are also generally torn down by attempts of this type.
The CPNI does not give more precise details, but the attack is reported to be rendered ineffective by switching SSH from cipher-block chaining mode (CBC) to counter mode (CTR). Counter mode turns a block cipher into a stream cipher.