OpenSSH Fixes Side Channel Attacks

By

It now encrypts all secret keys.

There is a rise in memory side-channel vulnerabilities like RAMBleed, Spectre, and Meltdown. OpenSSH is often at the center of attacks where a bad actor “exploits memory read vulnerabilities to steal secret SSH private keys from the restricted memory regions of the system,” according to the Hacker News.

The root case of this issue is that fact that the OpenSSH agent stores a copy of the SSH keys in the memory (RAM of CPU), eliminating the need of entering a passphrase to log into the server via SSH. Since these keys are stored in either RAM or CPU in plaintext, they are susceptible to attacks.

The OpenSSH community is now fixing this issue through an update. OpenSSH will now encrypt private keys before storing them into the system memory.

“Attackers must recover the entire prekey with high accuracy before they can attempt to decrypt the shielded private key, but the current generation of attacks have bit error rates that, when applied cumulatively to the entire prekey, make this unlikely,” said Damien Miller of the OpenBSD project on a mailing list.

07/02/2019

Related content

  • RAMBleed Attack Discovered
  • SSH on Windows

    For Linux admins, SSH is one the most important tools of remote administration. SSH also works in Windows, with tools such as PuTTY or WinSSH, MobaXterm, WinSCP, or Swish.

  • Secure SSH connections the right way
    Admins use SSH, the proverbial Swiss army knife of system management, for many of their daily tasks, but no matter how powerful the tool might be, it typically does not offer adequate protection. We look at ways to tighten SSH security.
  • TCP Stealth hides open ports
    Port scans for finding vulnerable services are nothing new, and port knocking as a defense has been around for a while, too. TCP Stealth tries to do something similar, but it takes a more sophisticated approach. We take a closer look.
  • SSH tools for Windows
    For Linux admins, SSH is one the most important tools of remote administration. SSH also works in Windows, with tools such as PuTTY or WinSSH, MobaXterm, WinSCP, or Swish.
comments powered by Disqus