ArchLinux: 201602-18: libssh: man-in-the-middle
Summary
libssh versions 0.1 and above have a bits/bytes confusion bug and
generate the an anormaly short ephemeral secret for the
diffie-hellman-group1 and diffie-hellman-group14 key exchange methods.
The resulting secret is 128 bits long, instead of the recommended sizes
of 1024 and 2048 bits respectively. There are practical algorithms (Baby
steps/Giant steps, Pollard’s rho) that can solve this problem in O(2^63)
operations.
Both client and server are are vulnerable, pre-authentication. This
vulnerability could be exploited by an eavesdropper with enough
resources to decrypt or intercept SSH sessions. The bug was found during
an internal code review by Aris Adamantiadis of the libssh team.
Resolution
Upgrade to 0.7.3-1.
# pacman -Syu "libssh>=0.7.3-1"
The problem has been fixed upstream in version 0.7.3.
References
https://access.redhat.com/security/cve/CVE-2016-0739
Workaround
This issue may be worked around by using other key exchange methods, such as curve25519-sha256@libssh.org or ecdh-sha2-nistp256, both are not vulnerable. By default, an unpatched libssh implementation will already attempt to use these two more secure methods when supported by the other party.