OpenSSH Client Vulnerability
ScaleArc is aware of the security vulnerability in OpenSSH titled OpenSSH Client contains a client information leak vulnerability and buffer overflow identified on January 14, 2016.
At this time, the ScaleArc Security Response Team (SRT) has determined that ScaleArc’s software appliance is not affected. ScaleArc currently utilizes OpenSSH_5.3p1. Please keep reading for additional information as well as detailed steps to check for the vulnerability and apply the update to your systems.
(from CERT Vulnerability Database)
OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations.
CWE-200: Information Exposure - CVE-2016-0777
According to the OpenSSH release notes for version 7.1p2 :
The OpenSSH client code between 5.4 and 7.1 contains experimental support for resuming SSH-connections (roaming).
The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys.
The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.
CWE-122: Heap-based Buffer Overflow - CVE-2016-0778
According to Qualys, the API functions packet_write_wait() and ssh_packet_write_wait() may overflow in some scenarios after a successful reconnection.
Qualys also notes that:
The buffer overflow, on the other hand, is present in the default configuration of the OpenSSH client but its exploitation requires two non-default options: a ProxyCommand, and either ForwardAgent (-A) or ForwardX11 (-X). This buffer overflow is therefore unlikely to have any real-world impact, but provides a particularly interesting case study.
For more information, please see Qualys's advisory. The CVSS score below is based on CVE-2016-0777.
A user that authenticates to a malicious or compromised server may reveal private data, including the user's private SSH key, or cause a buffer overflow that may lead to remote code execution in certain non-default configurations.
DO NOT perform an update of the entire system.
Apply an update
OpenSSH 7.1p2 has released to address these issues. Affected users are recommended to update as soon as possible.
If update is currently not an option, you may consider the following workaround:
Disable the 'UseRoaming' Feature
The vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the globalssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.
If you have any questions specific to ScaleArc appliances, images, or other deployments, please contact ScaleArc Support directly using our Support Portal: https://support.scalearc.com
This Article is also available here: