===========================================================
== Subject:     Potential downgrade attack by prefix
==              truncation on BPP with some MAC mechanisms
==
== CVE ID#:     CVE-2023-48795
==
== Versions:    all libssh versions < 0.10.6 and < 0.9.8
==
== Summary:     MitM attacker can misuse weakness in the BPP
==              to send additional packets and remove first
==              packet after NEWKEYS to prevent SSH extension
==              negotiation possibly downgrading used signature
==              algorithm during authentication when certain
==              MAC algorithms are negotiated.
==
===========================================================

===========
Description
===========
The SSH Binary Packet Protocol (BPP) has a weakness allowing
the Man in the Middle (MitM) attacker to manipulate several
messages during handshake. This is possible only when the
client negotiates cipher ChaCha20-poly1305 or AES-CBC with
Encrypt-then-MAC integrity mechanism.

This happens during handshake, when the packets are not yet
encrypted and authenticated. Inserting meaningless messages
at this point allows manipulating the sequence numbers of
one peers before encryption is turned on using the NEWKEYS
message and removing first encrypted message can go undetected.

The practical outcome can be removing the first message of
conversation EXT_INFO (from RFC8308), which carries in
information about supported SHA2 algorithm with RSA signatures
and could cause downgrade to SHA1.

==================
Patch Availability
==================

Patches addressing the issues have been posted to:
https://www.libssh.org/security/
Additionally, libssh 0.10.6 and 0.9.8 have been issued
as security releases to correct the defect.  SSH administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N (3.7)

==========
Workaround
==========
Temporarily disabling chacha20-poly1305@openssh.com` cipher
and `*-etm@openssh.com` MACs makes the attack non-feasible.

=======
Credits
=======

Originally reported by  Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk from Ruhr
University Bochum.
Patches provided by Aris Adamantiadis and Jakub Jelen of the libssh team.

==========================================================
== The libssh team
==========================================================