OpenSSH CVE-2016-0777: Details and MitigationDavid Busby
Earlier today advisories were sent out regarding OpenSSH versions 5.4 through 7.1., informing users about a security bug in the software. In essence, the advisory instructed people to add the UseRoaming no option to their ssh_config file, with a promise for further information to be made available shortly.
Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" to prevent upcoming #openssh client bug CVE-2016-0777. More later.
— markus (@msfriedl) January 14, 2016
The post on the security issue at OpenBSD Journal can be seen here: http://undeadly.org/cgi?action=article&sid=20160114142733
This information was then later released detailing the issue and the implications here: http://www.openssh.com/txt/release-7.1p2
The statement below summarized the main issue:
“The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys.”
So what does this all mean? Simply speaking, this means a malicious or compromised server could potentially retrieve the users private SSH keys from memory. The stolen keys could then be used to authenticate against servers.
(2FA helps to protect servers from the use of stolen keys, however this is not in as widespread use as it should be.)
The short summary is in lieu of an update to the software, you can use the following mitigation options to protect yourself:
- In your ~/.ssh/config:
Host * UseRoaming no
- In your ssh_config:
Linux: /etc/ssh/ssh_config OSX: /private/etc/ssh/ssh_config
- On each CLI execution:
ssh -oUseRoaming=no <hostname>
Personally, I’ve used a combination of 1 and 2, as often a ~/.ssh/config cleanup is required. Make sure and check that your OpenSSH is correctly configured, and keep watching for updates.