Serious CVE-2016-0777 vulnerability detected in OpenSSH client

Today it became known about a new vulnerability in the OpenSSH client that received the identifiers CVE-2016-0777 and CVE-2016-0778. All versions of the program from 5.4 to 7.1 are subject to it.

The detected bug allows an attack leading to the leakage of the private key . Server key authentication prevents man-in-the-middle attacks, so attackers will first need to gain access to the machine you are trying to access. Although, when connecting to a machine for the first time without verifying the key, MITM is possible.

Until you update the vulnerable systems, it is recommended to use the following fix:

echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config 

Updates for various operating systems are already coming out, including the portable version of OpenSSH 7.1p2.
')
The client OpenSSH versions from 5.4 to 7.1 contains the code of the experimental function "roaming", allowing to continue the session. The server part of this functionality has never been published, but the existing client code is vulnerable - attackers can get part of the client’s memory containing the private key. By default, this feature is enabled , so the visibility is quite serious.

In general, the patio11 user described the seriousness of the situation in the comments on Hacker News :

Immediately apply fix and update vulnerable systems, both on your work machines and inside your infrastructure - wherever SSH is used. And it can be used in very sudden places.

SSH is designed so that if you connect to the attacker's host, the host will only know your public key, but in no way is it private. This vulnerability allows you to steal your private key. You might think - “I only connect to my own servers, so I'm safe” - but if in the future attackers gain access to a single system, they can use it to steal your private key and use it to access the rest of your system. infrastructure.

Thus, your personal photoblog at Digital Ocean could be a potential hole in the infrastructure of your organization, because many people use the same private key.

It is expected that this vulnerability will be added to many exploits and rootkits, because it's pretty simple to use for mass attacks.

Mac os x

The patched versions have already been published in homebrew and macports. To update, execute:

 # Homebrew brew update brew install openssh # MacPorts port selfupdate port install openssh 

Linux / FreeBSD

The patches are ready and will soon be available in the package managers; it is recommended to disable the “roaming” function until the update:

 echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config 

You can also use the latest portable version .

Windows

PuTTY users are safe, OpenSSH users under Cygwin should use the latest portable version .

Detailed description of the vulnerability (eng.)