November 14, 2023

Passive SSH server private key compromise is real for some vulnerable devices

OpenSSL, LibreSSL, OpenSSH users, don't worry: you can leave this thing alone

Un recent academic study demonstrated how it is possible, for an attacker, intercept the SSH connections of some devices and, with some luck, impersonate those devices after secretly discovering the hosts' private RSA keys. This type of attack, known as “man-in-the-middle,” allows the attacker to silently observe users' login details and monitor their activities with remote SSH servers. SSH is commonly used to access and control a device via a command line interface, although other uses exist.

Host private RSA keys can be obtained by passively surveilling connections from clients to a vulnerable device's SSH server: accidental or natural computational errors during signature generation can be observed and exploited to calculate the SSH server's private key, ideally secret .

Natural errors refer to those caused by cosmic rays and other small faults that alter bits, while accidental errors are due to poorly implemented RSA signature generation algorithms. You might think that the former are so rare that they are not realistically exploitable and that the latter would already be known, but rest assured that by monitoring enough SSH connections to a vulnerable SSH server, you will end up seeing an exploitable connection.

It is important to note that the OpenSSL and LibreSSL software libraries, and therefore OpenSSH, are not known to be vulnerable to this method of key deduction. This means, in our opinion, that the vast majority of devices, servers and other equipment on the Internet are not at risk, and what remains are some Internet-of-Things devices and similar embedded equipment susceptible to attack. This only affects RSA keys.

The study was conducted by Keegan Ryan, Kaiwen He, George Arnold Sullivan, and Nadia Heninger of the University of California, San Diego (Kaiwen He is also at MIT). The technique the team uses to discern private RSA keys stems from TLS-smashing research by Florian Weimer in 2015 and 2022 work by some of the authors of the San Diego paper, as well as research dating back to the 90s.

Passive SSH Key Compromise via Lattices

Thomas Ptacek, an Infosec expert, shared a summary of the RSA key document here, for an easy-to-understand explanation of the issue. Thanks also go to Dan Goodin, former Register journalist, who reported the document via Ars Technica.

When a client connects to a vulnerable SSH server, during their negotiations to establish secure, encrypted communications, the server generates a digital signature that the client verifies to ensure it is talking to the server it expects.

This signature generation can be interrupted randomly or accidentally, as described above, so that intelligent algorithms can infer from the erroneous signature the server's private RSA key, used in signature generation. One countermeasure is to ensure that the signature is correct before issuing it to the client; OpenSSL and LibreSSL already do this.

The authors of the study stated:

We demonstrate that a passive attacker can opportunistically obtain host-private RSA keys from an SSH server that suffers a natural error during signature computation. Previously, it was believed that this was not possible for the SSH protocol because the signature included information such as the Diffie-Hellman shared secret that would not be available to a passive network observer. We show that for commonly used signature parameters for SSH, there is an efficient grid attack to recover the private key in case of a signature failure. We provide a security analysis of the SSH, IKEv1, and IKEv2 protocols in this scenario and use our attack to discover hundreds of compromised keys worldwide from different vulnerable implementations independently.

A passive adversary can silently monitor legitimate connections without risk of detection until it observes a faulty signature that exposes the private key. The attacker can then actively and undetectably impersonate the compromised host to intercept sensitive data.

The researchers said they looked at the Internet and examined previously collected SSH scan data to measure the prevalence of vulnerable signatures, and said their dataset of approximately 5,2 billion SSH records, spanning more than seven years of observations, contained more than 590.000 invalid RSA signatures.

Using theirs lattice key recovery technique the academics said that more than 4.900 of those faulty signatures revealed the factorization of the corresponding RSA public key, which they used to derive the private RSA keys for 189 of those public keys.

During their research, the authors discovered four manufacturers whose products were vulnerable to this type of key investigation: Cisco, Zyxel, Hillstone Networks, and Mocana. The researchers disclosed the issue to Cisco and Zyxel, and note that both vendors “promptly investigated.”

Cisco determined that its ASA and FTD software resolved the issue in 2022, and prior to the document's publication, it was "investigating mitigations" for IOS and IOS XE software.

Meanwhile, Zyxel concluded that the flaw only affected its end-of-life firmware and that it had started using non-vulnerable OpenSSL at that point. The researchers say they were unable to contact Hillstone Networks and Mocana and instead referred the issue to the CERT Coordination Center.

An SSH server implementation declaring itself as “SSH-2.0-SSHD” is also said to be vulnerable, and this could be used by some enterprise-level Java applications. Since the key deduction technique revolves around PKCSv1.5, DNSSEC using PKCSv1.5-RSA signatures may also be at risk.

They also noted that the dataset of signatures in IPsec connections was not large enough to conclude whether this protocol is vulnerable to such a key leak: “Given the rarity of vulnerable signature flaws, we are unable to conclude much about IPsec implementations from our data and believe this question merits further study."


Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.


Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.


Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds holds the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV Hetzner Online GmbH owns the rights to Hetzner®; OVHcloud is a registered trademark of OVH Groupe SAS; cPanel®, LLC owns the rights to cPanel®; Plesk® is a registered trademark of Plesk International GmbH; Facebook, Inc. owns the rights to Facebook®. This site is not affiliated, sponsored or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a trademark registered at European level by MANAGED SERVER SRL, Via Enzo Ferrari, 9, 62012 Civitanova Marche (MC), Italy.

Back to top