BT

Critical Bug Affects OpenSSH Users

| by Jeff Martin Follow 16 Followers on Jan 16, 2016. Estimated reading time: 1 minute |

Users of OpenSSH should take immediate action to secure and patch their systems based on a newly reported bug that affects OpenSSH versions 5.4 through 7.1.  Note that this includes both the OpenBSD-specific and portable versions of OpenSSH. 

This newly revealed bug affects users due to a failed implementation of a feature called roaming, which  was intended to facilitate resuming SSH-connections.  While server-side code was never released to support this feature, on the client-side this code remained vulnerable to exploitation by a malicious host.  The flaw enables a malicious server host to access memory on the client system—which would include the ability for the host to access the private client user keys.

The patch announcement by Damien Miller notes that:

The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.

It is important to note that unpatched clients are vulnerable because the malformed feature is enabled by default.  What is worse is that the “UseRoaming” option is not usually present in the configuration file, so it may not be readily apparent that a system is vulnerably by simply scanning SSH configuration files.

Patches are available, and the latest portable release of OpenSSH 7.1p2 has been released.  Users who are unable to apply the patch to their system can use one of the following changes to their SSH configuration file to prevent the flawed code from executing:

  • Add “UseRoaming no” to their global SSH config file (typically /etc/ssh/ssh_config)
  • Add “UseRoaming no” to their user SSH config file (typically ~/.ssh/config)
  • Include –oUseRoaming=no in their command line invocation of SSH

This bug was found thanks to a report from the Qualys Security Advisory team.  Note that the 7.1p2 release includes fixes for a few other bugs, so applying it as soon as possible is recommended.  For additional details, refer to CVE-2016-0777 and CVE-2016-0778.  Qualys has shared their security advisory on Seclists.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT