This is an important SECURITY and maintenance release in order to address CVE-2016-0739 – Bits/bytes confusion resulting in truncated Difffie-Hellman secret length.
libssh versions 0.1 and above have a bits/bytes confusion bug and generate the an anormaly short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods.
The resulting secret is 128 bits long, instead of the recommended sizes of 1024 and 2048 bits respectively. There are practical algorithms (Baby steps/Giant steps, Pollard’s rho) that can solve this problem in O(2^63) operations.
Both client and server are are vulnerable, pre-authentication. This vulnerability could be exploited by an eavesdropper with enough resources to decrypt or intercept SSH sessions. The bug was found during an internal code review by Aris Adamantiadis of the libssh team.
This issue may be worked around by using other key exchange methods, such as gro.h1603258390ssbil1603258390@652a1603258390hs-911603258390552ev1603258390ruc1603258390 or ecdh-sha2-nistp256, both are not vulnerable. By default, an unpatched libssh implementation will already attempt to use these two more secure methods when supported by the other party.
Advisories and Download
Advisories and patches for older versions can be found here.
You can download libssh 0.7.3 here.
- Fixed CVE-2016-0739
- Fixed ssh-agent on big endian
- Fixed some documentation issues