Ars Technica published an article today titled Bug that can leak crypto keys just fixed in widely used OpenSSH which explained how a compromise of a SSH server running OpenSSH software could lead to the server being used to capture data from the memory of systems that have connected to the server via SSH including private keys for users connecting to the server.
The vulnerability resides only in the version end users use to connect to servers and not in versions used by servers. A maliciously configured server could exploit it to obtain the contents of the connecting computer's memory, including the private encryption key used for SSH connections. The bug is the result of code that enables an experimental roaming feature in OpenSSH versions 5.4 to 7.1
"The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys," OpenSSH officials wrote in an advisory published Thursday. "The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers."
The roaming feature was intended to allow users to resume broken SSH connections, even though the feature was disabled in OpenSSH server software years ago. E.g., when I connected to a server I have running OpenSSH server software, I saw the folowing:
$ ssh -v firstname.lastname@example.org 2>&1 >/dev/null | grep -i 'roaming' debug1: Roaming not allowed by server
The Red Hat article on the vulnerability OpenSSH: Information-leak vulnerability (CVE-2016-0777) notes:
Since version 5.4, the OpenSSH client supports an undocumented feature called roaming. If a connection to an SSH server breaks unexpectedly, and if the SSH server supports roaming as well, the client is able to reconnect to the server and resume the interrupted SSH session. The roaming feature is enabled by default in OpenSSH clients, even though no OpenSSH server version implements the roaming feature.
For affected products, the article also notes:
Red Hat Enterprise Linux 7 since version 7.1 has provided OpenSSH 6.6 for which the default configuration is not affected by this flaw. OpenSSH 6.6 is only vulnerable to this issue when used with certain non-default ProxyCommand settings. Security update RHSA-2016-0043 corrects this issue.
On a Linux system, you can check the version of SSH installed with
$ ssh -V OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
On a CentOS Linux system using the
RPM Package Manager
you can also use
rpm -qi openssh | grep Version.
$ rpm -qi openssh | grep Version Version : 6.6.1p1
On a CentOS system, you can update the software from the command line, aka a
shell prompt, using the command
yum update openssh.
If you are using a vulnerable OpenSSH client, you can also specify the
-oUseRoaming=no parameter on the command line to ensure that
a malicious server can't take advantage of the vulnerability. E.g.
ssh -oUseRoaming=no email@example.com. Or the feature can
be disabled for all users on a system by putting
UseRoaming no in
/etc/ssh/ssh_config or by an individual user for his account
by adding the line to
echo 'UseRoaming no' >> /etc/ssh/ssh_config
Bug that can leak crypto keys just fixed in widely used OpenSSH
Date: January 14, 2016
Fixing The New OpenSSH Roaming Bug
OpenSSH: Information-leak vulnerability (CVE-2016-0777)
Updated: January 14, 2016
Red Hat Customer Portal
Security OpenSSH Security Bug CVE-2016-0777 & CVE-2016-0778
Date: January 4, 2016