{"id":6554,"date":"2017-03-20T12:44:08","date_gmt":"2017-03-20T04:44:08","guid":{"rendered":"http:\/\/rmohan.com\/?p=6554"},"modified":"2017-03-20T12:44:41","modified_gmt":"2017-03-20T04:44:41","slug":"openssh-client-information-leak-from-use-of-roaming-connection-feature-cve-2016-0777","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=6554","title":{"rendered":"OpenSSH: Client Information leak from use of roaming connection feature (CVE-2016-0777)"},"content":{"rendered":"<h2>Overview<\/h2>\n<p>A flaw in OpenSSH, discovered and <a href=\"https:\/\/www.qualys.com\/2016\/01\/14\/cve-2016-0777-cve-2016-0778\/openssh-cve-2016-0777-cve-2016-0778.txt\">reported by Qualys<\/a> on Jan. 14, 2016, could potentially allow an information leak (CVE-2016-0777) or buffer overflow (CVE-2016-0778) via the OpenSSH client. Specifically, an undocumented feature called roaming, introduced in OpenSSH version 5.4, can be exploited to expose a client\u00e2\u20ac\u2122s private SSH key.<\/p>\n<h2>Impact<\/h2>\n<p>The roaming feature, which allows clients to reconnect to the server automatically should the connection drop (on servers supporting the feature), can be exploited in the default configuration of OpenSSH clients from versions 5.4 through 7.1p1, but is not supported in the default configuration of the OpenSSH server.<\/p>\n<p>All versions of OpenSSH clients from 5.4 through 7.1p1 are affected for anyone who connects via SSH on the following operating systems:<\/p>\n<p><dir><dir>Linux<\/dir><\/dir>FreeBSD<\/p>\n<p>Mac OS X<\/p>\n<p>Windows when using OpenSSH for Windows<\/p>\n<p>The following are not affected:<\/p>\n<p><dir><dir>OpenSSH servers in default configuration<\/dir><\/dir>Windows users utilizing PuTTY to connect<\/p>\n<p>Connections not authenticated via an SSH key<\/p>\n<p>&nbsp;<\/p>\n<h2>Summary<\/h2>\n<p>A connection made from an affected client to a compromised or malicious server which uses an SSH key for authentication potentially could expose all or part of the user\u00e2\u20ac\u2122s private SSH key.<\/p>\n<p>If the key utilized to authenticate the connection is encrypted, only the encrypted private key could be exposed. However, a malicious party could attempt to brute-force the password offline after obtaining the encrypted key.<\/p>\n<h2>Is Your SSH Client Vulnerable?<\/h2>\n<p>You can check the version of your SSH client by running the following command:<\/p>\n<p>ssh -V<\/p>\n<p>That will produce output similar to:<\/p>\n<p>workstation$ $ ssh -V<br \/>\nOpenSSH_7.1p2, OpenSSL 1.0.2e 3 Dec 2015<\/p>\n<p>If the version is below 7.1p2, the SSH client is affected.<\/p>\n<h2>Resolution<\/h2>\n<ol>\n<li><strong>Update your OpenSSL client:<\/strong> Check for any updates to your SSH client and apply them immediately.<\/li>\n<li><strong>Patch older clients:<\/strong> If an update is not yet available for your operating system, you may disable the roaming feature on affected clients by adding the line \u00e2\u20ac\u0153UseRoaming no\u00e2\u20ac\u009d to your ssh configuration file. You can do so directly or via one of the methods below:<\/li>\n<\/ol>\n<p><dir><dir><dir><dir>On Linux, you can run the following command to add the necessary line:<code>echo 'UseRoaming no' | sudo tee --append \/etc\/ssh\/ssh_config<\/code><\/dir><\/dir><\/dir><\/dir>And restart ssh.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview <\/p>\n<p>A flaw in OpenSSH, discovered and reported by Qualys on Jan. 14, 2016, could potentially allow an information leak (CVE-2016-0777) or buffer overflow (CVE-2016-0778) via the OpenSSH client. Specifically, an undocumented feature called roaming, introduced in OpenSSH version 5.4, can be exploited to expose a client\u00e2\u20ac\u2122s private SSH key.<\/p>\n<p> Impact <\/p>\n<p>The roaming feature, which [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6554"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6554"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6554\/revisions"}],"predecessor-version":[{"id":6556,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6554\/revisions\/6556"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}