The open-source OpenSSH project today announced a critical update, patching a pair of vulnerabilities that an attacker could have used to steal user information.
OpenSSH is a widely used and deployed technology that is intended to enable secure remote access to a system. OpenSSH is an implementation of the SSH (Secure Shell) protocol 2.0 that can run on both client and server systems and is typically included in all major Linux distributions.
“The OpenSSH client code between 5.4 and 7.1 contains experimental support for resuming SSH-connections (roaming),” the OpenSSH project advisory on the update states. “The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys.”
Security firm Qualys first reported the roaming vulnerability to the OpenSSH project and has identified the flaw as CVE-2016-0777.
“The information leak is exploitable in the default configuration of the OpenSSH client, and (depending on the client’s version, compiler, and operating system) allows a malicious SSH server to steal the client’s private keys,” Qualys warns in its advisory. “This information leak may have already been exploited in the wild by sophisticated attackers, and high-profile sites or users may need to regenerate their SSH keys accordingly.”
There is also a buffer overflow flaw identified as CVE-2016-0778 that Qualys also found and is being patched by OpenSSH. The buffer overflow vulnerability has less impact than CVE-2016-0777, as it can only be triggered with systems that are running with a pair of non-default options.
“This buffer overflow is therefore unlikely to have any real-world impact, but provides a particularly interesting case study,” Qualys stated.
With the patch now out from the OpenSSH project, Linux vendors are beginning to rush out their own packages that include the new patch.
“Red Hat Enterprise Linux 4, 5 and 6 are not affected by this flaw as they include OpenSSH versions that are older than 5.4; Red Hat Enterprise Linux 7 is affected,” Mark Cox, senior director of product security at Red Hat, told eWEEK. “Red Hat Product Security is working on security updates for Red hat Enterprise Linux 7, and they should be available soon.”
From a workaround perspective, there are multiple sets of security controls in Linux that can often be employed proactively to limit risks. One such system is SELinux (security enhanced Linux), which provides an additional layer of access controls onto system processes and applications. Unfortunately with the OpenSSH issues, Cox said that no security controls, including SELinux, would have helped.
“The problem involved a bug that exposed a memory leak to a malicious SSH server,” Cox explained. “Because the data in question didn’t cross any trust or execution boundaries, the malicious server could get the client to possibly leak sensitive authentication key data.”