OpenSSH Client Roaming Vulnerability (CVE-2016-0777 & CVE-2016-0778)

OpenSSH Client Roaming Vulnerability (CVE-2016-0777 & CVE-2016-0778)

CVE-2016-0777


Two vulnerabilities have been discovered in the roaming code of the OpenSSH client. SSH roaming enables a client to reconnect to an existing SSH connection provided the server supports the roaming capability. CVE-2016-0777 is a memory disclosure bug that can be exploited by a malicious or compromised server to extract sensitive data from the client memory, which could include private keys. CVE-2016-0778 is a buffer overflow vulnerability which can also be exploited by a malicious SSH server although to date it has not been confirmed to be exploitable.

Additional Information Can Be Found At

http://undeadly.org/cgi?action=article&sid=20160114142733&mode=expanded
https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt
https://marc.info/?l=openbsd-misc&m=145278077920530&w=2

Recommendations

  • Install the OpenSSH patches as they become available.
  • The recommended workaround is to add the option UseRoaming no to your& /etc/ssh/ssh_config (or to the user’s ~/.ssh/config).
    Executing the following command will insert the workaround into /etc/ssh/ssh_config:
    # echo -e ‘Host *nUseRoaming no’ >> /etc/ssh/ssh_config

Systems Affected

Unix-based systems such as Linux, OpenBSD and FreeBSD.

Vulnerable Versions

Affects all versions of OpenSSH 5.4 to 7.1.

Masergy Alert Detection

The Masergy Threat Intelligence Team currently has deployed the following alerts to detect the possible exploitation of this vulnerability.

SSH:CVE-2016-0777-1
Detected a suspicious server advertising roaming support. This could mean that a malicious server is exploiting CVE-2016-0777. CVE-2016-0777 is a memory disclosure bug present in the resend_bytes function in roaming_common.c in the client code for OpenSSH 5.x, 6.x, and 7.x before 7.1p2 which allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, which could be utilized to read a private key.

SSH:CVE-2016-0777-2
Detected an OpenSSH client sending a roaming resume request. This could mean that a malicious server is exploiting CVE-2016-0777. CVE-2016-0777 is a memory disclosure bug present in the resend_bytes function in roaming_common.c in the client code for OpenSSH 5.x, 6.x, and 7.x before 7.1p2 which allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, which could be utilized to read a private key.