[arch-security] [ASA-201601-9] openssh: multiple issues

Levente Polyak anthraxx at archlinux.org
Thu Jan 14 17:12:28 UTC 2016


Arch Linux Security Advisory ASA-201601-9
=========================================

Severity: High
Date    : 2016-01-14
CVE-ID  : CVE-2016-0777 CVE-2016-0778
Package : openssh
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package openssh before version 7.1p2-1 is vulnerable to multiple
issues including information disclosure (including the client's private
keys) and arbitrary code execution.

Resolution
==========

Upgrade to 7.1p2-1.

# pacman -Syu "openssh>=7.1p2-1"

The problems have been fixed upstream in version 7.1p2.

Workaround
==========

It is possible to mitigate this issue by setting the following option in
the OpenSSH client's configuration file manually, either global
(/etc/ssh/ssh_config) or user specific (~/.ssh/config):

    UseRoaming no

The above directive should be placed in the Host * section of the
configuration file to use this setting for all SSH servers the client
connects to.

You can also set the option via a command line argument when connecting
to an SSH server:

    -o 'UseRoaming no'

Using one of those configuration values mitigates the problems by
disabling the roaming feature.

Description
===========

- CVE-2016-0777 (information disclosure)

An information leak flaw was found in the way the OpenSSH client roaming
feature was implemented. A malicious server could potentially use this
flaw to leak portions of memory (possibly including private SSH keys) of
a successfully authenticated OpenSSH client.

- CVE-2016-0778 (arbitrary code execution)

A buffer overflow flaw was found in the way the OpenSSH client roaming
feature was implemented that is leading to a file descriptor leak. A
malicious server could potentially use this flaw to execute arbitrary
code on a successfully authenticated OpenSSH client if that client used
certain non-default configuration options (ProxyCommand, ForwardAgent or
ForwardX11).

Impact
======

A remote attacker is able to use a malicious server to leak client
memory, including the client's private keys or, under certain non
default circumstances, execute arbitrary code.

Users with passphrase-less privates keys, especially in non interactive
setups (automated jobs using ssh, scp, rsync+ssh etc.) are advised to
update their keys if they have connected to an SSH server they don't
fully trust.

References
==========

https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034680.html
https://access.redhat.com/security/cve/CVE-2016-0777
https://access.redhat.com/security/cve/CVE-2016-0778

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160114/8a0244de/attachment.asc>


More information about the arch-security mailing list