Описание
Weak private key generation in SSH.NET
During an X25519 key exchange, the client’s private is generated with System.Random:
Source: KeyExchangeECCurve25519.cs
Source commit: https://github.com/sshnet/SSH.NET/commit/b58a11c0da55da1f5bad46faad2e9b71b7cb35b3
System.Random is not a cryptographically secure random number generator, it must therefore not be used for cryptographic purposes.
Impact
When establishing an SSH connection to a remote host, during the X25519 key exchange, the private key is generated with a weak random number generator whose seed can be bruteforced. This allows an attacker able to eavesdrop the communications to decrypt them.
Workarounds
To ensure you're not affected by this vulnerability, you can disable support for curve25519-sha256 and curve25519-sha256@libssh.org key exchange algorithms by invoking the following method before a connection is established:
Thanks
This issue was initially reported by Siemens AG, Digital Industries, shortly followed by @yaumn-synacktiv.
Ссылки
- https://github.com/sshnet/SSH.NET/security/advisories/GHSA-72p8-v4hg-v45p
- https://nvd.nist.gov/vuln/detail/CVE-2022-29245
- https://github.com/sshnet/SSH.NET/commit/03c6d60736b8f7b42e44d6989a53f9b644a091fb
- https://github.com/sshnet/SSH.NET/commit/f1f273cf349532b9d41c1de51d3b83a9accedc88
- https://github.com/sshnet/SSH.NET/blob/bc99ada7da3f05f50d9379f2644941d91d5bf05a/src/Renci.SshNet/Security/KeyExchangeECCurve25519.cs#L51
- https://github.com/sshnet/SSH.NET/releases/tag/2020.0.2
Пакеты
SSH.NET
< 2020.0.2
2020.0.2
Связанные уязвимости
SSH.NET is a Secure Shell (SSH) library for .NET. In versions 2020.0.0 and 2020.0.1, during an `X25519` key exchange, the client’s private key is generated with `System.Random`. `System.Random` is not a cryptographically secure random number generator, it must therefore not be used for cryptographic purposes. When establishing an SSH connection to a remote host, during the X25519 key exchange, the private key is generated with a weak random number generator whose seed can be brute forced. This allows an attacker who is able to eavesdrop on the communications to decrypt them. Version 2020.0.2 contains a patch for this issue. As a workaround, one may disable support for `curve25519-sha256` and `curve25519-sha256@libssh.org` key exchange algorithms.