phpseclib SSH2 HMAC Verification Vulnerability Leading to Timing Attack

A vulnerability exists in the phpseclib library's SSH2 component, specifically in the HMAC verification process of the 'get_binary_packet' method'. This issue is present in versions prior to 3.0.51, 2.0.53, and 1.0.28. The vulnerability arises because the library uses PHP's '!=' operator to compare HMACs, which introduces a variable-time comparison flaw. This behavior can be exploited to create a timing attack, although such exploitation is impractical in a real-world SSH context due to the protocol's inherent protections.

Impact

Exploitation of this vulnerability creates a timing side-channel that could theoretically allow an attacker to recover HMAC values byte-by-byte. However, this attack is not feasible in practice, as each SSH connection uses a fresh HMAC key and the protocol disconnects on MAC verification failures, preventing the accumulation of timing information across packets.

Reproduction

The vulnerability can be reproduced by sending SSH packets over a connection that negotiates a non-AEAD cipher and a non-AEAD MAC. This will trigger the vulnerable HMAC verification code, where the '!=' operator introduces a timing leak. The vulnerability can be demonstrated using a proof-of-concept script that measures the timing differences caused by the variable-time comparison.

Remediation

Users can upgrade to phpseclib versions 3.0.51, 2.0.53, or 1.0.28, where this vulnerability has been fixed.