Full Report
SSH has a problem where a passive observer is able to deduce some information via the metadata, which violates most cryptographic principles. By default, each keystroke is clearly identified and timestamped. To combat this, SSH started obfuscating the keystrokes some. The obfuscation veils the keystroke packets among a wave a fake packets that should look the same. When a keystroke is made, a bunch of these chaff packets start flooding out to hide all real keystrokes. The author decided to do some analysis on the sizes of these packets to see if the protection actually worked. While analyzing, they noticed that some packets were substantially larger than the rest! The chaff packets should be the same as the keystroke packets in size in order to mask them but this doesn't appear to be the case. What's going on? After reviewing the source code, wireshark captures and SSH verbose mode logs, they understood what was going on... SSH can group multiple requests together into a single packet. On the second keyboard stroke, this starts happening. The real keystrokes are packaged up with a PING packet, creating a packet twice the size as a normal keystroke and two server-side responses. Using this knowledge, it's possible to get the same information as before - how many keystrokes were made at what intervals. They create a tool for doing this that is pretty cool! Typing out certain commands have a specific rhythm (such as sudo apt upgrade) making the analysis possible to get the actual sent command out of the packet. Overall, good post on side channel analysis and how easy it is to mess up these types of protections.
Analysis Summary
# Vulnerability: OpenSSH Keystroke Obfuscation Side-Channel Bypass
## CVE Details
- **CVE ID**: Not yet assigned (Disclosed June 24, 2024)
- **CVSS Score**: 4.3 (Medium) - *Estimated based on Confidentiality impact*
- **CWE**: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor / CWE-1253: Incorrect Use of Timing Channels
## Affected Systems
- **Products**: OpenSSH
- **Versions**: Version 9.5 through 9.8 (current at time of disclosure)
- **Configurations**: Interactive sessions where `ObscureKeystrokeTiming` is enabled (default behavior since version 9.5).
## Vulnerability Description
OpenSSH introduced a "chaffing" mechanism to prevent keystroke timing attacks by sending fake packets (chaff) at fixed 20ms intervals to mask real typing. However, the implementation contains a logic flaw regarding packet bundling.
When a user types, OpenSSH may group multiple requests (such as a real keystroke and a `SSH2_MSG_PING` packet) into a single TCP packet. This results in "spike" packets that are significantly larger than the standard chaff packets and trigger two server-side responses instead of one. Because these larger packets only occur during real keystrokes, a passive network observer can filter out the chaff and perfectly reconstruct the inter-keystroke timing data the feature was designed to hide.
## Exploitation
- **Status**: PoC available; Research-stage exploitation.
- **Complexity**: Medium (Requires statistical analysis of captured traffic).
- **Attack Vector**: Network (Passive observation/sniffing).
## Impact
- **Confidentiality**: Low/Medium. An attacker can perform keystroke latency analysis to infer sensitive commands typed in an encrypted session (e.g., `sudo` commands or specific arguments).
- **Integrity**: None.
- **Availability**: None.
## Remediation
### Patches
- At the time of publication, no official patch has been released. The vendor was notified on April 24, 2024, but communication ceased.
### Workarounds
- **Disable Obfuscation**: Users can disable the flawed feature to return to standard behavior, though this leaves the session vulnerable to traditional timing attacks. Set `ObscureKeystrokeTiming=no` in the SSH configuration.
- **Client choice**: Use an SSH client version prior to 9.5 that does not attempt this specific obfuscation method.
## Detection
- **Indicators of Compromise**: This is a passive side-channel attack; there are no logs on the server or client indicating that traffic is being analyzed.
- **Detection methods and tools**:
- **SSHniff**: A tool developed by the researcher to automate the extraction of metadata and identify the "spike" packets.
- **Wireshark**: Analysis of packet lengths and intervals can reveal the bundling of PING/keystroke packets.
## References
- **Enigmelo Blog**: hxxps[://]enigmelo[.]xyz/2024/06/24/ssh-keystroke-obfuscation-bypass/
- **SSHniff Tool**: hxxps[://]github[.]com/CrzPhil/SSHniff
- **Analysis Notebook**: hxxps[://]github[.]com/CrzPhil/SSH-Keystroke-Latency-Analysis
- **OpenSSH 9.5 Release Notes**: hxxps[://]www[.]openssh[.]com/txt/release-9.5