[arch-security] [ASA-201601-9] openssh: multiple issues
Levente Polyak
anthraxx at archlinux.org
Thu Jan 14 17:12:28 UTC 2016
Arch Linux Security Advisory ASA-201601-9
=========================================
Severity: High
Date : 2016-01-14
CVE-ID : CVE-2016-0777 CVE-2016-0778
Package : openssh
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package openssh before version 7.1p2-1 is vulnerable to multiple
issues including information disclosure (including the client's private
keys) and arbitrary code execution.
Resolution
==========
Upgrade to 7.1p2-1.
# pacman -Syu "openssh>=7.1p2-1"
The problems have been fixed upstream in version 7.1p2.
Workaround
==========
It is possible to mitigate this issue by setting the following option in
the OpenSSH client's configuration file manually, either global
(/etc/ssh/ssh_config) or user specific (~/.ssh/config):
UseRoaming no
The above directive should be placed in the Host * section of the
configuration file to use this setting for all SSH servers the client
connects to.
You can also set the option via a command line argument when connecting
to an SSH server:
-o 'UseRoaming no'
Using one of those configuration values mitigates the problems by
disabling the roaming feature.
Description
===========
- CVE-2016-0777 (information disclosure)
An information leak flaw was found in the way the OpenSSH client roaming
feature was implemented. A malicious server could potentially use this
flaw to leak portions of memory (possibly including private SSH keys) of
a successfully authenticated OpenSSH client.
- CVE-2016-0778 (arbitrary code execution)
A buffer overflow flaw was found in the way the OpenSSH client roaming
feature was implemented that is leading to a file descriptor leak. A
malicious server could potentially use this flaw to execute arbitrary
code on a successfully authenticated OpenSSH client if that client used
certain non-default configuration options (ProxyCommand, ForwardAgent or
ForwardX11).
Impact
======
A remote attacker is able to use a malicious server to leak client
memory, including the client's private keys or, under certain non
default circumstances, execute arbitrary code.
Users with passphrase-less privates keys, especially in non interactive
setups (automated jobs using ssh, scp, rsync+ssh etc.) are advised to
update their keys if they have connected to an SSH server they don't
fully trust.
References
==========
https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034680.html
https://access.redhat.com/security/cve/CVE-2016-0777
https://access.redhat.com/security/cve/CVE-2016-0778
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160114/8a0244de/attachment.asc>
More information about the arch-security
mailing list