Fixing The New OpenSSH Roaming Bug

Posted by UpGuard

OpenSSH Roaming Bug

Call it an experiment gone wrong: a bug in a test feature of the OpenSSH client was found to be highly vulnerable to exploitation today, potentially leaking cryptographic keys to malicious attackers. First discovered and announced by the Qualys Security Team, the vulnerability affects OpenSSH versions 5.4 through 7.1. Here's what you need to know about bug, including remediation tips.

The flaw involves the accidental inclusion of experimental client-side roaming support in the OpenSSH client, despite being disabled on the server-side years ago. This feature essentially enables users to resume broken SSH connections. Unfortunately, a maliciously configured server can exploit a bug in the client and capture its memory contents, including any private encryption keys used for SSH connections. OpenSSH's advisory note offers detailed information on how to patch the vulnerable client, as well as instructions for manually disabling SSH roaming.

Free eBooks on DevOps and Security

To fix the vulnerability, download and apply the security patch. Alternatively, you may also add the option "UseRoaming No" to /etc/ssh/ssh_config (or the user's ~/.ssh/config) file: 

# echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config

The following CVEs have been assigned to the issues related to the bug:

  • CVE-2016-0777: An information leak (memory disclosure) can be exploited by a rogue SSH server to trick a client into leaking sensitive data from the client memory, including for example private keys.
  • CVE-2016-0778: A buffer overflow (leading to file descriptor leak), can also be exploited by a rogue SSH server, but due to another bug in the code is possibly not exploitable, and only under certain conditions (not the default configuration), when using ProxyCommand, ForwardAgent or ForwardX11.

If this new OpenSSH flaw sounds familiar, it's because 2014's OpenSSL HeartBleed vulnerability similarly gives attackers the ability to read the RAM contents in vulnerable computers. However, the OpenSSH roaming bug is considered less severe, as it is only exploitable after a vulnerable client connects to a malicious server. That said, Canonicalmaker of popular Ubuntu Linuxstated in an advisory that versions 12.04, 1404, 15.04, and 15.10 of its OS contain the bug. Additionally, some versions of Red Hat Enterprise Linux (RHEL) 7 prior to March 2015 are also impacted.

Don't fall victim to vulnerabilities that can leave critical data like cryptographic keys up-for-grabs. UpGuard's platform for continuous security monitoring ensures that your entire infrastructure is free from SSH vulnerabilities like HeartBleed and the Roaming Bug, among others. Get a guided demo of UpGuard for free. 

See your website's faults before your competitors


More Blogs

How CSTAR Works

All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Blog >

What's In the Website Risk Grader?

The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Blog >

Understanding Risk in the 21st Century

And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Blog >


Topics: security, vulnerabilities

UpGuard Customers