CVE-ID: [To be assigned by MITRE]

Title: OpenSSH Server-Sig-Algs Fingerprinting Vulnerability

Date: March 31, 2025

Researcher: Farid

Vendor: OpenSSH (openbsd.org)

Product: OpenSSH

Affected Versions: All versions supporting server-sig-algs (7.2 and later, confirmed in 8.9p1 and 9.2p1)

CVE Status: Draft, pending submission

Description

OpenSSH servers expose a comprehensive list of compile-time supported signature algorithms in the server-sig-algs extension (sent via SSH2_MSG_EXT_INFO, RFC 8308), even when runtime configuration (e.g., PubkeyAcceptedAlgorithms in sshd_config) restricts client authentication to a subset of these algorithms. This behavior allows remote attackers to fingerprint the server’s OpenSSH version and distribution by analyzing the advertised algorithms, including deprecated ones like ssh-dss or modern extensions like sk-ecdsa-sha2-nistp256@openssh.com. This information leakage can aid in identifying unpatched vulnerabilities or tailoring exploits specific to the server’s build.

For example, a server configured with PubkeyAcceptedAlgorithms rsa-sha2-256 still advertises server-sig-algs=<ssh-ed25519, ..., ssh-rsa, rsa-sha2-256, rsa-sha2-512, ssh-dss, ...>, revealing support for algorithms not in use and exposing version-specific details (e.g., ssh-dss dropped in 7.0, sk-* added later). Tools like ssh-audit can exploit this to map server characteristics, increasing the attack surface.

Impact

• Severity: Medium (CVSS estimated 5.3 - AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: None (PR:N)
  • User Interaction: None (UI:N)
  • Scope: Unchanged (S:U)
  • Confidentiality: Low (C:L) - Leaks version/distribution info
  • Integrity: None (I:N)
  • Availability: None (A:N)
• Exploitation: Remote, unauthenticated attackers can fingerprint servers, potentially identifying vulnerable versions (e.g., pre-8.8 with known CVEs) or distribution-specific builds for targeted attacks.

Preconditions

• OpenSSH server with server-sig-algs enabled (default since 7.2).
• No mitigation (e.g., custom build or banner suppression) applied.

Proof of Concept

1. Connect to an OpenSSH server with ssh -vvv hostname.
2. Observe server-sig-algs in debug output, e.g., kex_input_ext_info: server-sig-algs=<ssh-ed25519, ..., ssh-rsa, rsa-sha2-256, rsa-sha2-512, ssh-dss, ...>.
3. Cross-reference with OpenSSH version history:
   • ssh-dss indicates pre-7.0 build.
   • rsa-sha2-512 confirms 6.5+.
   • sk-* algorithms suggest 8.2+.
4. Use tools like ssh-audit to automate fingerprinting.

Mitigation

• Short-Term:
  • Disable SSH2_MSG_EXT_INFO by recompiling OpenSSH without extension support (not practical for most users).
  • Use a firewall or proxy to obscure SSH banners.
• Long-Term:
  • Patch OpenSSH to filter server-sig-algs based on runtime config (e.g., only list algorithms allowed by PubkeyAcceptedAlgorithms).
  • Adopt minimal SSH servers like tinySSH, which avoid broad algorithm advertisement.

Additional Information

This vulnerability was identified during an investigation into OpenSSH authentication failures caused by configuration mismatches. The researcher noticed that uncommenting general PubkeyAcceptedAlgorithms settings (e.g., ssh-ed25519,rsa-sha2-512,rsa-sha2-256) in the client’s ssh_config disrupted connections to a server restricted to PubkeyAcceptedAlgorithms rsa-sha2-256, even with host-specific overrides. This led to the discovery of three related design flaws: 1. Incomplete Host-Specific Overrides: Host-specific PubkeyAcceptedAlgorithms settings do not fully isolate from general settings, causing unexpected client behavior. 2. Client Retry Absence: The SSH client selects one algorithm per key (e.g., rsa-sha2-512) and does not retry others (e.g., rsa-sha2-256), even when a match exists, breaking expected negotiation flexibility. 3. Server-Sig-Algs Mismatch: The server advertises rsa-sha2-512 in server-sig-algs despite rejecting it for client authentication, misleading the client into attempting an unsupported algorithm.

These issues highlighted the fingerprinting vulnerability: the broad server-sig-algs list exposed compile-time settings unrelated to runtime policy, revealing version and build details. Aligning server-sig-algs with PubkeyAcceptedAlgorithms at runtime would not only mitigate this security risk by reducing information leakage (e.g., advertising only rsa-sha2-256 in the example case) but also enhance usability. Clients could then reliably select supported algorithms, avoiding failed authentication attempts due to mismatches. This dual benefit—improved security and user-friendliness—suggests a design improvement for OpenSSH beyond mere vulnerability patching.

References

• OpenSSH Server Configuration Documentation
• OpenSSH Client Configuration Documentation
• RFC 8308: Extension Negotiation
• ssh-audit Tool
• OpenSSH Unix Dev Mailing List

Status

• Draft submitted by researcher “Farid” for review by OpenSSH maintainers and MITRE CVE Assignment Team.