OpenSSH Clients Struck By New Security Vulnerability
Written by Michael Larabel in Standards on 14 January 2016 at 02:53 PM EST. 27 Comments
STANDARDS --
Any OpenSSH client released in the past six years is prone to two vulnerabilities by malicious SSH servers that could cause memory disclosures and a buffer overflow.

OpenSSH clients have an undocumented "roaming" feature that's enabled by default where if the connection to an SSH server breaks unexpectedly, the client is able to reconnect and resume its previous SSH session. However, in making use of this roaming feature could leave you open to an attack by a compromised SSH server.

CVE-2016-0777 and CVE-2016-0778 are summarized as:
Although roaming is not supported by the OpenSSH server, it is enabled by default in the OpenSSH client, and contains two vulnerabilities that can be exploited by a malicious SSH server (or a trusted but compromised server): an information leak (memory disclosure), and a buffer overflow (heap-based).

The information leak is exploitable in the default configuration of the OpenSSH client, and (depending on the client's version, compiler, and operating system) allows a malicious SSH server to steal the client's private keys. This information leak may have already been exploited in the wild by sophisticated attackers, and high-profile sites or users may need to regenerate their SSH keys accordingly.

The buffer overflow, on the other hand, is present in the default configuration of the OpenSSH client but its exploitation requires two non-default options: a ProxyCommand, and either ForwardAgent (-A) or ForwardX11 (-X). This buffer overflow is therefore unlikely to have any real-world impact, but provides a particularly interesting case study.

All OpenSSH versions between 5.4 and 7.1 are vulnerable, but can be easily hot-fixed by setting the undocumented option "UseRoaming" to "no", as detailed in the Mitigating Factors section. OpenSSH version 7.1p2 (released on January 14, 2016) disables roaming by default.
There are more details on these OpenSSH vulnerabilities via the OpenBSD journal.
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Related Standards News
Popular News