COMMAND

    ssh

SYSTEMS AFFECTED

    ssh-1.2.27

PROBLEM

    While developing OpenSSH Niels Provos has discovered the following
    flaw in ssh-1.2.27.  Older versions may  be affected too.   During
    connection  setup  the  ssh-server  sends  it's  public  host  key
    information to the client.   This information consists of the  RSA
    parameters 'e', 'n' and the size of 'n' in bits.

    The ssh-1.2.27 client  does not check  whether the announced  size
    is equal to the actual size  of 'n' and blindly uses the  supplied
    information, displays  it to  the user  and saves  the information
    in the ~/.ssh/known_hosts file.

    Thus it is possible for a malicious server to announce a parameter
    size of 1024 bits while actually transmitting a host key with only
    1017 bits (the 7 most significant bits are set to 0).  While  this
    _may_ not be actively exploitable it is at least misleading, since
    the user thinks he is using a 'more' secure key.

SOLUTION

    Needless to  mention that  OpenSSH does  check the  actual size of
    the transmitted parameter 'n'.