OpenSSH Clients Struck By New Security Vulnerability

Any OpenSSH client released in the past six years is prone to two vulnerabilities by malicious SSH servers that could cause memory disclosures and a buffer overflow.

OpenSSH clients have an undocumented "roaming" feature that's enabled by default where if the connection to an SSH server breaks unexpectedly, the client is able to reconnect and resume its previous SSH session. However, in making use of this roaming feature could leave you open to an attack by a compromised SSH server.

CVE-2016-0777 and CVE-2016-0778 are summarized as:

Although roaming is not supported by the OpenSSH server, it is enabled by default in the OpenSSH client, and contains two vulnerabilities that can be exploited by a malicious SSH server (or a trusted but compromised server): an information leak (memory disclosure), and a buffer overflow (heap-based).

The information leak is exploitable in the default configuration of the OpenSSH client, and (depending on the client's version, compiler, and operating system) allows a malicious SSH server to steal the client's private keys. This information leak may have already been exploited in the wild by sophisticated attackers, and high-profile sites or users may need to regenerate their SSH keys accordingly.

The buffer overflow, on the other hand, is present in the default configuration of the OpenSSH client but its exploitation requires two non-default options: a ProxyCommand, and either ForwardAgent (-A) or ForwardX11 (-X). This buffer overflow is therefore unlikely to have any real-world impact, but provides a particularly interesting case study.

All OpenSSH versions between 5.4 and 7.1 are vulnerable, but can be easily hot-fixed by setting the undocumented option "UseRoaming" to "no", as detailed in the Mitigating Factors section. OpenSSH version 7.1p2 (released on January 14, 2016) disables roaming by default.

There are more details on these OpenSSH vulnerabilities via the OpenBSD journal.