Threat Center Security News Lower version of OpenSSH vulnerable to attack
Lower version of OpenSSH vulnerable to attack Print E-mail
Written by Rebecca Mints   
Friday, 29 May 2009 00:11
Users of the network protocol OpenSSH have been warned by security experts to upgrade their software to the latest version so as to protect encrypted data.

Developers of OpenSSH or SecureShell has come up with version 5.2 which implements countermeasures against probable attacks. The lower versions contain a flaw that attackers can exploit to read encrypted data.

Other SSH software may also have the same vulnerability, said security experts belonging to the Information Security Group at the University of London’s Royal Holloway.

The attack can be done during cryptographic processing, when an attacker could have a one in more than 200,000 chance to invade the system and read data from ciphertext.

The researchers said the vulnerability may be a flaw in design of SSH applications which uses virtual private networks to where programs repeatedly reconnect whenever it is disconnected or encounters an error. Some programs attempt at reconnection several times per second during which an attacker looks for opportunities to invade the system.  

The discovery of the flaw in OpenSSH has revived feelings of insecurity among network administrators who rely on the cryptographic software to secure the transfer of information across the internet and through the World Wide Web.  

Last year, the OpenSSL implementation has also been discovered to have a flaw where regeneration of encryption keys was found to be possible.  


WTW Threat Level