how sidechannel attacks are endangering almost all linux servers running OpenSSH (so almost all)

28.Jun.2019

alternatives, Cybercrime, CyberSec / ITSec / Sicherheit / Security / SPAM, Cyberwar, hacking, hacktivism, Hardware / Reviews, hardware fail

Update: 2020.03

“The newly developed Rowhammer- attack TRRespass can crack the RAM-a security mechanism by many DDR4-DRAM-modules as well as LPDDR4 Chips. Until now, these were considered to be almost immune to Rowhammer attacks.”

https://www.com-magazin.de/news/sicherheit/software-hammer-ram-schutz-attackiert-2515621.html

Update: 2019.10

Zombieload is back.

“This time a new variant (v2) of the data-leaking side-channel vulnerability also affects the most recent Intel CPUs, including the latest Cascade Lake, which are otherwise resistant against attacks like Meltdown, Foreshadow and other MDS variants (RIDL and Fallout).” (src: thehackernews.com)

“In recent years, several groups of cybersecurity researchers have disclosed dozens of memory side-channel vulnerabilities in modern processors and DRAMs, like Rowhammer, RAMBleed, Spectre, and Meltdown.

“Have you ever noticed they all had at least one thing in common?”

Attacks against RAM stored private keys of OpenSSH!

everyone makes mistakes – but Intel i really start to hate you now.

Intel should ship all their customers with fixed CPUs (it is not an implementation flaw, it is a design flaw, so modifications to the architecture needs to be made) for free or be demolished forever by ARM or even better: RISC-V

Intel’s 11th-generation ‘Ice Lake’ CPUs will have fixes for Meltdown, Spectre(?) (src)

it seems 10th gen was skipped.

it comes with Thunderbold 3 and Wifi 6 on board.

Mai 2019: first waver chips shown on stage.

you can not buy them yet in July 2019.

official intel keynote recording ComputeX 2019

„The RISC-V Foundation says that no currently announced RISC-V CPU is vulnerable to Meltdown and Spectre“ (src: tomshardware.com)

this is by far the biggest fail in CPU history – it is not an implementation error – it is an design error – it’s like when the architect designs a house to be super efficient – but the house’s design has a weak spot – and if you use a small hammer on it – the front door will collapse and any thief can enter and steal.

“As a proof-of-concept, many researchers demonstrated their side-channel attacks against OpenSSH application installed on a targeted computer, where an unprivileged attacker-owned process exploits memory read vulnerabilities to steal secret SSH private keys from the restricted memory regions of the system.”

src: thehackernews.com

Module name:	src

Modified files:
	usr.bin/ssh    : authfd.c authfd.h krl.c krl.h ssh-agent.c 
	                 ssh-keygen.c sshconnect.c sshconnect.h sshd.c 
	                 sshkey.c sshkey.h 
Log message:
Add protection for private keys at rest in RAM against speculation
and memory sidechannel attacks like Spectre, Meltdown, Rowhammer and
Rambleed. This change encrypts private keys when they are not in use
with a symmetic key that is derived from a relatively large "prekey"
consisting of random data (currently 16KB).

more info: marc.info

where are the sources?

Normal OpenSSH development produces a very small, secure, and easy to maintain version for the OpenBSD project. The OpenSSH Portability Team takes that pure version and adds portability code so that OpenSSH can run on many other operating systems (Unfortunately, in particular since OpenSSH does authentication, it runs into a *lot* of differences between Unix operating systems).

The OpenSSH provided here is designed to run on the following Unix operating systems:

AIX
HP-UX
Irix
Linux
NeXT
SCO
SNI/Reliant Unix
Solaris
Digital Unix/Tru64/OSF
Mac OS X
Cygwin
… and more are being added all the time.

https://www.openssh.com/portable.html

https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/

what to do?

install the latest version of OpenSSH and apply all patches.

https://www.tecmint.com/install-openssh-server-from-source-in-linux/

# check your installed version of ssh
ssh -V

liked this article?

only together we can create a truly free world
plz support dwaves to keep it up & running!
(yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
really really hate advertisement
contribute: whenever a solution was found, blog about it for others to find!
talk about, recommend & link to this blog and articles
thanks to all who contribute!

admin