GHSA-72P8-V4HG-V45P

Vulnerability from github – Published: 2022-06-01 19:50 – Updated: 2022-06-15 18:57
VLAI?
Summary
Weak private key generation in SSH.NET
Details

During an X25519 key exchange, the client’s private is generated with System.Random:

var rnd = new Random();
_privateKey = new byte[MontgomeryCurve25519.PrivateKeySizeInBytes];
rnd.NextBytes(_privateKey);

Source: KeyExchangeECCurve25519.cs
Source commit: https://github.com/sshnet/SSH.NET/commit/b58a11c0da55da1f5bad46faad2e9b71b7cb35b3

System.Random is not a cryptographically secure random number generator, it must therefore not be used for cryptographic purposes.

Impact

When establishing an SSH connection to a remote host, during the X25519 key exchange, the private key is generated with a weak random number generator whose seed can be bruteforced. This allows an attacker able to eavesdrop the communications to decrypt them.

Workarounds

To ensure you're not affected by this vulnerability, you can disable support for curve25519-sha256 and curve25519-sha256@libssh.org key exchange algorithms by invoking the following method before a connection is established:

private static void RemoveUnsecureKEX(BaseClient client)
{
    client.ConnectionInfo.KeyExchangeAlgorithms.Remove("curve25519-sha256");
    client.ConnectionInfo.KeyExchangeAlgorithms.Remove("curve25519-sha256@libssh.org");
}

Thanks

This issue was initially reported by Siemens AG, Digital Industries, shortly followed by @yaumn-synacktiv.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "SSH.NET"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2020.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330",
      "CWE-338"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-01T19:50:15Z",
    "nvd_published_at": "2022-05-31T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "During an **X25519** key exchange, the client\u2019s private is generated with [**System.Random**](https://docs.microsoft.com/en-us/dotnet/api/system.random):\n\n```cs\nvar rnd = new Random();\n_privateKey = new byte[MontgomeryCurve25519.PrivateKeySizeInBytes];\nrnd.NextBytes(_privateKey);\n```\n\nSource: [KeyExchangeECCurve25519.cs](https://github.com/sshnet/SSH.NET/blob/bc99ada7da3f05f50d9379f2644941d91d5bf05a/src/Renci.SshNet/Security/KeyExchangeECCurve25519.cs#L51)  \nSource commit: https://github.com/sshnet/SSH.NET/commit/b58a11c0da55da1f5bad46faad2e9b71b7cb35b3\n\n[**System.Random**](https://docs.microsoft.com/en-us/dotnet/api/system.random) is not a cryptographically secure random number generator, it must therefore not be used for cryptographic purposes.\n\n### Impact\nWhen establishing an SSH connection to a remote host, during the X25519 key exchange, the private key is generated with\na weak random number generator whose seed can be bruteforced. This allows an attacker able to eavesdrop the\ncommunications to decrypt them.\n\n### Workarounds\nTo ensure you\u0027re not affected by this vulnerability, you can disable support for `curve25519-sha256` and `curve25519-sha256@libssh.org` key exchange algorithms by invoking the following method before a connection is established:\n```cs\nprivate static void RemoveUnsecureKEX(BaseClient client)\n{\n    client.ConnectionInfo.KeyExchangeAlgorithms.Remove(\"curve25519-sha256\");\n    client.ConnectionInfo.KeyExchangeAlgorithms.Remove(\"curve25519-sha256@libssh.org\");\n}\n```\n\n### Thanks\n\nThis issue was initially reported by **Siemens AG, Digital Industries**, shortly followed by @yaumn-synacktiv.",
  "id": "GHSA-72p8-v4hg-v45p",
  "modified": "2022-06-15T18:57:58Z",
  "published": "2022-06-01T19:50:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sshnet/SSH.NET/security/advisories/GHSA-72p8-v4hg-v45p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29245"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sshnet/SSH.NET/commit/03c6d60736b8f7b42e44d6989a53f9b644a091fb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sshnet/SSH.NET/commit/f1f273cf349532b9d41c1de51d3b83a9accedc88"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sshnet/SSH.NET"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sshnet/SSH.NET/blob/bc99ada7da3f05f50d9379f2644941d91d5bf05a/src/Renci.SshNet/Security/KeyExchangeECCurve25519.cs#L51"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sshnet/SSH.NET/releases/tag/2020.0.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Weak private key generation in SSH.NET"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.