Weak private key generation in SSH.NET
Discription

During an **X25519** key exchange, the client’s private is generated with [**System.Random**](https://docs.microsoft.com/en-us/dotnet/api/system.random):

“`cs
var rnd = new Random();
_privateKey = new byte[MontgomeryCurve25519.PrivateKeySizeInBytes];
rnd.NextBytes(_privateKey);
“`

Source: [KeyExchangeECCurve25519.cs](https://github.com/sshnet/SSH.NET/blob/bc99ada7da3f05f50d9379f2644941d91d5bf05a/src/Renci.SshNet/Security/KeyExchangeECCurve25519.cs#L51)
Source commit: https://github.com/sshnet/SSH.NET/commit/b58a11c0da55da1f5bad46faad2e9b71b7cb35b3

[**System.Random**](https://docs.microsoft.com/en-us/dotnet/api/system.random) is not a cryptographically secure random number generator, it must therefore not be used for cryptographic purposes.

### Impact
When establishing an SSH connection to a remote host, during the X25519 key exchange, the private key is generated with
a weak random number generator whose seed can be bruteforced. This allows an attacker able to eavesdrop the
communications to decrypt them.

### Workarounds
To ensure you’re not affected by this vulnerability, you can disable support for `curve25519-sha256` and `[email protected]` key exchange algorithms by invoking the following method before a connection is established:
“`cs
private static void RemoveUnsecureKEX(BaseClient client)
{
client.ConnectionInfo.KeyExchangeAlgorithms.Remove(“curve25519-sha256”);
client.ConnectionInfo.KeyExchangeAlgorithms.Remove(“[email protected]”);
}
“`

### Thanks

This issue was initially reported by **Siemens AG, Digital Industries**, shortly followed by @yaumn-synacktiv.Read More

Back to Main

Subscribe for the latest news: