=======================================================================
== Subject:    Weakness in diffie-hellman secret key generation
==
== CVE ID#:    CVE-2016-0739
==
== Versions:   All versions of libssh 0.1 and later
==
== Summary:    Due to a bug in the ephemeral secret key generation for
==             the diffie-hellman-group1 and diffie-hellman-group14
==             methods, ephemeral secret keys of size 128 bits are
==             generated, instead of the recommended sizes of 1024 and
==             2048 bits, giving a practical security of 63 bits.
==
==             This vulnerability could be exploited by an eavesdropper
==             with enough resources to decrypt or intercept SSH
==             sessions.
==             No authentication is required.
==
=======================================================================

===========
Description
===========

libssh versions 0.1 and above have a bits/bytes confusion bug and generate the
an anormaly short ephemeral secret for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods.
The resulting secret is 128 bits long, instead of the recommended sizes of 1024
and 2048 bits respectively. There are practical algorithms (Baby steps/Giant
steps, Pollard's rho) that can solve this problem in O(2^63) operations.

Both client and server are are vulnerable, pre-authentication.
This vulnerability could be exploited by an eavesdropper with enough resources
to decrypt or intercept SSH sessions.

The bug was found during an internal code review by Aris Adamantiadis of the
libssh team.

==================
Patch Availability
==================

Patches addressing the issue have been posted to:

    https://www.libssh.org/

libssh version 0.7.3 has been released to address this issue.

==========
Workaround
==========

This issue may be worked around by using other key exchange methods, such as
curve25519-sha256@libssh.org or ecdh-sha2-nistp256, both are not vulnerable.
By default, an unpatched libssh implementation will already attempt to use
these two more secure methods when supported by the other party.

=======
Credits
=======

The bug was found during code review by Aris Adamantiadis.

Patches are provided by the libssh team.

==========================================================
== The libssh team
==========================================================