Blog
Fixing The New OpenSSH Roaming Bug

Fixing The New OpenSSH Roaming Bug

Abstract shapeAbstract shape
Join 27,000+ cybersecurity newsletter subscribers

Call it an experiment gone wrong: a bug in a test feature of the OpenSSH client was found to be highly vulnerable to exploitation today, potentially leaking cryptographic keys to malicious attackers. First discovered and announced by the Qualys Security Team, the vulnerability affects OpenSSH versions 5.4 through 7.1. Here's what you need to know about bug, including remediation tips.

The flaw involves the accidental inclusion of experimental client-side roaming support in the OpenSSH client, despite being disabled on the server-side years ago. This feature essentially enables users to resume broken SSH connections. Unfortunately, a maliciously configured server can exploit a bug in the client and capture its memory contents, including any private encryption keys used for SSH connections. OpenSSH's advisory note offers detailed information on how to patch the vulnerable client, as well as instructions for manually disabling SSH roaming.

To fix the vulnerability, download and apply the security patch. Alternatively, you may also add the option "UseRoaming No" to /etc/ssh/ssh_config (or the user's ~/.ssh/config) file: 

# echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config

The following CVEs have been assigned to the issues related to the bug:

  • CVE-2016-0777: An information leak (memory disclosure) can be exploited by a rogue SSH server to trick a client into leaking sensitive data from the client memory, including for example private keys.
  • CVE-2016-0778: A buffer overflow (leading to file descriptor leak), can also be exploited by a rogue SSH server, but due to another bug in the code is possibly not exploitable, and only under certain conditions (not the default configuration), when using ProxyCommand, ForwardAgent or ForwardX11.

If this new OpenSSH flaw sounds familiar, it's because 2014's

OpenSSL HeartBleed vulnerability similarly gives attackers the ability to read the RAM contents in vulnerable computers. However, the OpenSSH roaming bug is considered less severe, as it is only exploitable after a vulnerable client connects to a malicious server. That said, Canonical—maker of popular Ubuntu Linux—stated in an advisory that versions 12.04, 1404, 15.04, and 15.10 of its OS contain the bug. Additionally, some versions of Red Hat Enterprise Linux (RHEL) 7 prior to March 2015 are also impacted.

Don't fall victim to vulnerabilities that can leave critical data like cryptographic keys up-for-grabs. UpGuard's platform for continuous security monitoring ensures that your entire infrastructure is free from SSH vulnerabilities like HeartBleed and the Roaming Bug, among others. Get a guided demo of UpGuard for free. 

Sources

https://www.undeadly.org/cgi?action=article&sid=20160114142733

https://lists.debian.org/debian-security-announce/2016/msg00015.html

https://www.zdnet.com/article/serious-security-flaw-found-in-openssh-puts-private-keys-at-risk/

https://arstechnica.com/information-technology/2016/01/bug-that-can-leak-crypto-keys-just-fixed-in-widely-used-openssh/

Free

UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    13 risk factors, including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape