Bugzilla – Bug 932483
VUL-1: openssh: The Logjam Attack / weakdh.org
Last modified: 2019-01-31 13:33:26 UTC
+++ This bug was initially created as a clone of Bug #931600 +++ This bug refers to the openssh Logjam impact.
OpenSSH includes "weak", hardcoded DH parameters (Oakley Groups), as required by RFC. Nevertheless, more recent versions are not affected, as they are using ECDH Kex by default. Additionally, it can be configured on server and client side which Kex algos are offered. It is not possible (unlike with TLS) by a MiM to downgrade the offered Kex ciphers to something like "export" or fixed DH parameters. So, this is more of a configuratuion issue. Some references on how to secure your SSH config: https://stribika.github.io/2015/01/04/secure-secure-shell.html https://presentations.nordisch.org/olddognewtricks/ AFAIS, sle11sp3 and sle12 already use ECDH Kex.
I also checked sle11sp1. As sle11sp1 is using openssh-5.1p1, this version is already using "dynamic" DH parameters: #if OPENSSL_VERSION_NUMBER < 0x00907000L # define KEX_DEFAULT_KEX \ "diffie-hellman-group-exchange-sha1," \ "diffie-hellman-group14-sha1," \ "diffie-hellman-group1-sha1" #else # define KEX_DEFAULT_KEX \ "diffie-hellman-group-exchange-sha256," \ "diffie-hellman-group-exchange-sha1," \ "diffie-hellman-group14-sha1," \ "diffie-hellman-group1-sha1" #endif which means that there are group parameters negotiated during Kex with help of the moduli file. Only if this file does not exist, its a fallback to use the hardcoded DH params. So this version is not affected either. Later versions also add curve parameters in front of the proposal.
Though, it is recommended to "adjust" your moduli file (or to create it) to remove all moduli with a bitlength below your "trust-boundary", as recommended in the references from comment#1. Note that 1024bit params are estimated to take ~45million coreyears of computation, which is still quite a large time slice. :)
bugbot adjusting priority
We need to remove the 1023bit size DH params (which are indeed 1024bit in size due to manpage flaw) from the moduli file. They are a prime target for pre-compute DL/weakdh. openssh-6.9 will ship without 1024bit sizes: https://anongit.mindrot.org/openssh.git/tree/moduli Also, we might want to think about enlarging DH_GRP_MIN in our future builds.
(In reply to Sebastian Krahmer from comment #7) > We need to remove the 1023bit size DH params (which are indeed 1024bit in > size due to manpage flaw) from the moduli file. They are a prime target for > pre-compute DL/weakdh. > > openssh-6.9 will ship without 1024bit sizes: > https://anongit.mindrot.org/openssh.git/tree/moduli > > Also, we might want to think about enlarging DH_GRP_MIN in our > future builds. Are we rolling this out across all code streams? I'm fine with that (and all for it), just asking for confirmation/permission. Maybe you can also assign to me, once the decision is made, so that I know I should proceed.
OpenSSH 6.9p1 removes 1k groups: https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=5ab7d5fa03ad55bc438fab45dfb3aeb30a3c237a From 5ab7d5fa03ad55bc438fab45dfb3aeb30a3c237a Mon Sep 17 00:00:00 2001 From: Darren Tucker <dtucker@zip.com.au> Date: Thu, 28 May 2015 10:03:40 +1000 Subject: New moduli file from OpenBSD, removing 1k groups. Remove 1k bit groups.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-07-29. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62212
not sure if we can see this easily as reproducer.
(ssh -Q kex HOSTNAME shows the kex algorithms, sss -vv HOSTNAME shows the kex exchanges, but not the dh group bitsize )
SUSE-SU-2015:1544-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 903649,932483,936695,938746,943006,943010 CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600,CVE-2015-6563,CVE-2015-6564 Sources used: SUSE Linux Enterprise Server 12 (src): openssh-6.6p1-29.1, openssh-askpass-gnome-6.6p1-29.1 SUSE Linux Enterprise Desktop 12 (src): openssh-6.6p1-29.1, openssh-askpass-gnome-6.6p1-29.1
SUSE-SU-2015:1547-1: An update that solves 5 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 673532,903649,905118,914309,916549,932483,936695,938746,943006,943010 CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600,CVE-2015-6563,CVE-2015-6564 Sources used: SUSE Linux Enterprise Server for VMWare 11-SP3 (src): openssh-6.2p2-0.17.1, openssh-askpass-gnome-6.2p2-0.17.3 SUSE Linux Enterprise Server 11-SP3 (src): openssh-6.2p2-0.17.1, openssh-askpass-gnome-6.2p2-0.17.3
SUSE-SU-2015:1547-2: An update that solves 5 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 673532,903649,905118,914309,916549,932483,936695,938746,943006,943010 CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600,CVE-2015-6563,CVE-2015-6564 Sources used: SUSE Linux Enterprise Desktop 11-SP3 (src): openssh-6.2p2-0.17.1, openssh-askpass-gnome-6.2p2-0.17.3 SUSE Linux Enterprise Debuginfo 11-SP3 (src): openssh-6.2p2-0.17.1, openssh-askpass-gnome-6.2p2-0.17.3
SUSE-SU-2015:1581-1: An update that solves 5 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 673532,903649,905118,914309,916549,932483,936695,938746,943006,943010,945493 CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600,CVE-2015-6563,CVE-2015-6564 Sources used: SUSE Linux Enterprise Server for VMWare 11-SP3 (src): openssh-6.2p2-0.21.1, openssh-askpass-gnome-6.2p2-0.21.3 SUSE Linux Enterprise Server 11-SP3 (src): openssh-6.2p2-0.21.1, openssh-askpass-gnome-6.2p2-0.21.3 SUSE Linux Enterprise Desktop 11-SP3 (src): openssh-6.2p2-0.21.1, openssh-askpass-gnome-6.2p2-0.21.3 SUSE Linux Enterprise Debuginfo 11-SP3 (src): openssh-6.2p2-0.21.1, openssh-askpass-gnome-6.2p2-0.21.3
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-10-21. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62308
SUSE-SU-2015:1695-1: An update that solves 5 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 903649,932483,936695,938746,939932,943006,943010,945484,945493,947458 CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600,CVE-2015-6563,CVE-2015-6564 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): openssh-6.6p1-13.1, openssh-askpass-gnome-6.6p1-13.3 SUSE Linux Enterprise Desktop 11-SP4 (src): openssh-6.6p1-13.1, openssh-askpass-gnome-6.6p1-13.3 SUSE Linux Enterprise Debuginfo 11-SP4 (src): openssh-6.6p1-13.1, openssh-askpass-gnome-6.6p1-13.3
SUSE-SU-2015:1840-1: An update that solves three vulnerabilities and has four fixes is now available. Category: security (moderate) Bug References: 673532,903649,905118,914309,932483,936695,938746 CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): openssh-5.1p1-41.69.1, openssh-askpass-gnome-5.1p1-41.69.4
released
According to the latest change, it was decided to raise the minimum accepted size of the prime numbers to 2048 bits: Added openssh-6.6p1-disable_short_DH_parameters.patch: > +Raise minimal size of DH group parameters to 2048 bits like upstream did in > +7.2. 1024b values are believed to be in breaking range for state adversaries > +and the default moduli shipped with openssh have been around long enough to > +make it more likely for them to be broken. However, the moduli file still contains 1536-bit prime numbers which, according to Sebastian's commends bellow, is not recommended. (In reply to Sebastian Krahmer from comment #3) > Though, it is recommended to "adjust" your moduli file (or to create it) > to remove all moduli with a bitlength below your "trust-boundary", > as recommended in the references from comment#1. (In reply to Sebastian Krahmer from comment #7) > We need to remove the 1023bit size DH params (which are indeed 1024bit in > size due to manpage flaw) from the moduli file. They are a prime target for > pre-compute DL/weakdh. > > openssh-6.9 will ship without 1024bit sizes: > https://anongit.mindrot.org/openssh.git/tree/moduli Finally, upstream seems to have removed 1535 bit primes from the moduli file as well. That is perhaps not important but I mention it nevertheless.
SUSE-SU-2016:1386-1: An update that solves three vulnerabilities and has 9 fixes is now available. Category: security (moderate) Bug References: 729190,932483,945484,945493,947458,948902,960414,961368,962313,965576,970632,975865 CVE References: CVE-2015-8325,CVE-2016-1908,CVE-2016-3115 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): openssh-6.6p1-42.1, openssh-askpass-gnome-6.6p1-42.1 SUSE Linux Enterprise Server 12 (src): openssh-6.6p1-42.1, openssh-askpass-gnome-6.6p1-42.1 SUSE Linux Enterprise Desktop 12-SP1 (src): openssh-6.6p1-42.1, openssh-askpass-gnome-6.6p1-42.1 SUSE Linux Enterprise Desktop 12 (src): openssh-6.6p1-42.1, openssh-askpass-gnome-6.6p1-42.1
This is an autogenerated message for OBS integration: This bug (932483) was mentioned in https://build.opensuse.org/request/show/398334 13.2 / openssh
openSUSE-SU-2016:1455-1: An update that solves three vulnerabilities and has 9 fixes is now available. Category: security (moderate) Bug References: 729190,932483,945484,945493,947458,948902,960414,961368,962313,965576,970632,975865 CVE References: CVE-2015-8325,CVE-2016-1908,CVE-2016-3115 Sources used: openSUSE Leap 42.1 (src): openssh-6.6p1-11.1, openssh-askpass-gnome-6.6p1-11.1
SUSE-SU-2016:1528-1: An update that solves three vulnerabilities and has 7 fixes is now available. Category: security (moderate) Bug References: 729190,932483,948902,960414,961368,961494,962313,965576,970632,975865 CVE References: CVE-2015-8325,CVE-2016-1908,CVE-2016-3115 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): openssh-6.6p1-21.1, openssh-askpass-gnome-6.6p1-21.3 SUSE Linux Enterprise Debuginfo 11-SP4 (src): openssh-6.6p1-21.1, openssh-askpass-gnome-6.6p1-21.3
SUSE-SU-2016:2388-1: An update that solves 5 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 932483,948902,959096,962313,962794,970632,975865,981654,989363,992533 CVE References: CVE-2015-8325,CVE-2016-1908,CVE-2016-3115,CVE-2016-6210,CVE-2016-6515 Sources used: SUSE OpenStack Cloud 5 (src): openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5 SUSE Manager Proxy 2.1 (src): openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5 SUSE Manager 2.1 (src): openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5 SUSE Linux Enterprise Server 11-SP3-LTSS (src): openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5 SUSE Linux Enterprise Point of Sale 11-SP3 (src): openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5 SUSE Linux Enterprise Debuginfo 11-SP3 (src): openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5
still in progress
SUSE-SU-2016:2555-1: An update that solves 5 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 729190,932483,948902,960414,961368,961494,962313,965576,970632,975865,981654,989363,992533 CVE References: CVE-2015-8325,CVE-2016-1908,CVE-2016-3115,CVE-2016-6210,CVE-2016-6515 Sources used: SUSE Linux Enterprise Server 11-SECURITY (src): openssh-openssl1-6.6p1-15.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2017-01-25. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63339