'[oss-security] dropbear and PuTTY missing DHE sanity checks [was: Re: CVE request: RFC 4253 section'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] dropbear and PuTTY missing DHE sanity checks  [was: Re: CVE request: RFC 4253 section
From:       Daniel Kahn Gillmor <dkg () fifthhorseman ! net>
Date:       2015-02-27 15:11:36
Message-ID: 87zj7zo0d3.fsf () alice ! fifthhorseman ! net
[Download RAW message or body]

On Fri 2015-02-27 06:59:57 -0500, Florent Daigniere wrote:

> RFC 4253 section 8 describes how the DiffieHellman exchange is done in
> SSH... It mandates a few sanity bound-checks (for both the values of
> exponents and exponentials) that some implementations are not doing...
>
> Can you please assign three CVEs for the following bugs?
>
> MATTA-2015-002 PuTTY
> will be fixed in the upcoming release (0.64 I think)
> - The exponential is not checked for trivial values
>
> MATTA-2015-001 Dropbox
                 ^^^^^^^ I'm pretty sure you mean dropbear here, based
                         on the links below.
                 
> fixed in: https://secure.ucc.asn.au/hg/dropbear/rev/a1e79ffa5862
> - The exponential is not checked for all trivial values (it just does
> what the RFC mandates, which is clearly not enough!)
> - The exponent picked might be a trivial value (this is theoretical more
> than anything else assuming the CSPRNG is working). It's a regression
> from 0.49
> (https://secure.ucc.asn.au/hg/dropbear/diff/00703f1df67a/random.c)

regards,

  --dkg
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic