Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: OpenSSH 7.1p2 released with security fix for CVE-2016-0777 SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
OpenSSH 7.1p2 released with security fix for CVE-2016-0777

2016-01-14: Updated to show this is not as serious as previous vulnerabilities like Heartbleed.

OpenSSH 7.1p2 has been released with a security fix for a vulnerability recently assigned to CVE-2016-0777 [1].  CVE 2016-0777 is a client information leak that could leak private keys to a malicious server.  A workaround is available for previous versions of OpenSSH [2]. 

Early reports from Redhat [3] and the OpenBSD Journal [4] provide some details some details on this vulnerability.

From the Redhat press release:

Since version 5.4, the OpenSSH client supports an undocumented feature called roaming.  If a connection to an SSH server breaks unexpectedly, and if the server supports roaming as well, the client is able to reconnect to the server and resume the interrupted SSH session.  The roaming feature is enabled by default in OpenSSH clients, even though no OpenSSH server version implements the roaming feature.

An information leak flaw was found in the way OpenSSH client roaming feature was implemented.  The information leak is exploitable in the default configuration of certain versions of the OpenSSH client and could (depending on the client's version, compiler, and operating system) allow a malicious SSH server to steal the client's private keys.

This bug has similarities to the 2014 Heartbleed vulnerability that affected the OpenSSL crypto library.  Heartbleed was much more serious, because the bug made it possible for anyone with moderate hacking skills to exploit any website using OpenSSL.  By contrast, the OpenSSH bug can only be exploited after a vulnerable end user connects to a maliciously-configured server [5].

Thanks David, for the tipper!




412 Posts
ISC Handler
Jan 17th 2016
The Qualys advisory with exploit is out now:

Sign Up for Free or Log In to start participating in the conversation!