Vulnerability Note VU#456088
OpenSSH Client contains a client information leak vulnerability and buffer overflow
Original Release date: 14 Jan 2016 | Last revised: 20 Jan 2016

Overview
OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations.

Description
CWE-200: Information Exposure – CVE-2016-0777
According to the OpenSSH release notes for version 7.1p2 :

 The OpenSSH client code between 5.4 and 7.1 contains experimental support for resuming SSH-connections (roaming).

The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys.

The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.

CWE-122: Heap-based Buffer Overflow – CVE-2016-0778

According to Qualys, the API functions packet_write_wait() and ssh_packet_write_wait() may overflow in some scenarios after a successful reconnection.

Qualys also notes that:

The buffer overflow, on the other hand, is present in the default configuration of the OpenSSH client but its exploitation requires two non-default options: a ProxyCommand, and either ForwardAgent (-A) or ForwardX11 (-X). This buffer overflow is therefore unlikely to have any real-world impact, but provides a particularly interesting case study.

For more information, please see Qualys’s advisory. The CVSS score below is based on CVE-2016-0777.

Impact
A user that authenticates to a malicious or compromised server may reveal private data, including the user’s private SSH key, or cause a buffer overflow that may lead to remote code execution in certain non-default configurations.

Solution
Apply an update

OpenSSH 7.1p2 has released to address these issues. Affected users are recommended to update as soon as possible.

If update is currently not an option, you may consider the following workaround:
Disable the ‘UseRoaming’ Feature

The vulnerable code in the client can be completely disabled by adding ‘UseRoaming no’ to the global ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedDebian GNU/LinuxAffected14 Jan 201614 Jan 2016
Hardened BSDAffected14 Jan 201614 Jan 2016
OpenBSDAffected14 Jan 201615 Jan 2016
OpenSSHAffected-14 Jan 2016
UbuntuAffected14 Jan 201614 Jan 2016
Openwall GNU/*/LinuxNot Affected14 Jan 201620 Jan 2016
ACCESSUnknown14 Jan 201614 Jan 2016
Alcatel-LucentUnknown14 Jan 201614 Jan 2016
AppleUnknown14 Jan 201614 Jan 2016
Arch LinuxUnknown14 Jan 201614 Jan 2016
Arista Networks, Inc.Unknown14 Jan 201614 Jan 2016
Aruba NetworksUnknown14 Jan 201614 Jan 2016
AT&TUnknown14 Jan 201614 Jan 2016
Avaya, Inc.Unknown14 Jan 201614 Jan 2016
Barracuda NetworksUnknown14 Jan 201614 Jan 2016If you are a vendor and your product is affected, let
us know.View More &raquo

CVSS Metrics (Learn More)

Group
Score
Vector

Base
4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

Temporal
3.6
E:F/RL:OF/RC:C

Environmental
2.7
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

http://www.openssh.com/txt/release-7.1p2
https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt
http://undeadly.org/cgi?action=article&sid=20160114142733
https://github.com/openssh/openssh-portable/blob/8408218c1ca88cb17d15278174a24a94a6f65fe1/roaming_client.c#L70
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777
https://isc.sans.edu/forums/diary/OpenSSH+71p2+released+with+security+fix+for+CVE20160777/20613/
https://access.redhat.com/articles/2123781

Credit

This issue was previously coordinated and publicly disclosed by the Qualys Security Advisory Team.
This document was written by Brian Gardiner and Garret Wassermann.

Other Information

CVE IDs:
CVE-2016-0777
CVE-2016-0778

Date Public:
14 Jan 2016

Date First Published:
14 Jan 2016

Date Last Updated:
20 Jan 2016

Document Revision:
45

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply