Contributed by tj on Thu Jan 14 19:14:52 2016 (GMT)
from the i-have-a-fviend-in-Vome dept.
This is the most serious bug you’ll hear about this week: the issues identified and fixed in OpenSSH are dubbed CVE-2016-0777 and CVE-2016-0778.


An early heads up came from Theo de Raadt in this mailing list posting.
Until you are able to patch affected systems, the recommended workaround is to use
# echo -e ‘Host *\nUseRoaming no’ >> /etc/ssh/ssh_config
That is, add the option UseRoaming no to your /etc/ssh/ssh_config (or your user’s ~/.ssh/config) file, or start your ssh client with -oUseRoaming=no included on the commandline.
We will be updating this article with more information as it becomes available.
UPDATE: This affects OpenSSH versions 5.4 through 7.1.
UPDATE: The following commit from deraadt@ has just gone in:
CVSROOT: /cvs
Module name: src
Changes by: deraadt@cvs.openbsd.org 2016/01/14 07:34:34

Modified files:
usr.bin/ssh : readconf.c ssh.c

Log message:
Disable experimental client-side roaming support. Server side was
disabled/gutted for years already, but this aspect was surprisingly
forgotten. Thanks for report from Qualys
UPDATE: Errata patches for 5.8 and 5.7 have been published.
UPDATE: Portable OpenSSH 7.1p2 has been released:
* SECURITY: ssh(1): The OpenSSH client code between 5.4 and 7.1
contains experimential support for resuming SSH-connections (roaming).

The matching server code has never been shipped, but the client
code was enabled by default and could be tricked by a malicious
server into leaking client memory to the server, including private
client user keys.

The authentication of the server host key prevents exploitation
by a man-in-the-middle, so this information leak is restricted
to connections to malicious or compromised servers.

MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client
can be completely disabled by adding ‘UseRoaming no’ to the gobal
ssh_config(5) file, or to user configuration in ~/.ssh/config,
or by passing -oUseRoaming=no on the command line.
UPDATE: Fixed versions are available for OpenBSD snapshots dated 2016-01-12 and later. M:Tier has binpatches for OpenBSD 5.7-stable and 5.8-stable. Debian, Ubuntu, RHEL, and many other Linux distros have it now or will soon.
UPDATE: The Debian announcement has some more details:
The Qualys Security team discovered two vulnerabilities in the roaming
code of the OpenSSH client (an implementation of the SSH protocol
suite).

SSH roaming enables a client, in case an SSH connection breaks
unexpectedly, to resume it at a later time, provided the server also
supports it.

The OpenSSH server doesn’t support roaming, but the OpenSSH client
supports it (even though it’s not documented) and it’s enabled by
default.

CVE-2016-0777

An information leak (memory disclosure) can be exploited by a rogue
SSH server to trick a client into leaking sensitive data from the
client memory, including for example private keys.

CVE-2016-0778

A buffer overflow (leading to file descriptor leak), can also be
exploited by a rogue SSH server, but due to another bug in the code
is possibly not exploitable, and only under certain conditions (not
the default configuration), when using ProxyCommand, ForwardAgent or
ForwardX11.
UPDATE: The roaming code has been stripped out of OpenBSD -current:
CVSROOT: /cvs
Module name: src
Changes by: markus@cvs.openbsd.org 2016/01/14 09:17:40

Modified files:
usr.bin/ssh : clientloop.c kex.c kex.h monitor.c
monitor_wrap.c opacket.c opacket.h packet.c
packet.h readconf.c readconf.h serverloop.c
ssh.c ssh2.h sshconnect.c sshconnect2.c sshd.c
usr.bin/ssh/lib: Makefile
usr.bin/ssh/ssh: Makefile
usr.bin/ssh/ssh-keyscan: Makefile
usr.bin/ssh/ssh-keysign: Makefile
usr.bin/ssh/sshd: Makefile
Removed files:
usr.bin/ssh : roaming.h roaming_client.c roaming_common.c
roaming_dummy.c roaming_serv.c

Log message:
remove roaming support; ok djm@
UPDATE: The FreeBSD port has been updated too, but the version in their base system remains vulnerable.
UPDATE: Qualys Security has posted their full report on the issues. One interesting note from it:
OpenSSH 6.6 is the only version that is not affected, because it calls
explicit_bzero() instead of memset() or bzero().
UPDATE: While the information leak is much more difficult to exploit on systems with ASLR, like OpenBSD, some users may want to consider rotating their key pairs. If you use ssh-agent(1), however, the man page offers some good news:
The agent will never send a private key over its request channel. Instead, operations
that require a private key will be performed by the agent, and the result will be
returned to the requester. This way, private keys are not exposed to clients using the
agent.
UPDATE: For Mac OS X, the version of OpenSSH in MacPorts has been updated. Since Apple typically delays security fixes, you’re advised to apply the workaround if using the bundled OpenSSH instead.
[topicopenssh]
<< Xen Support Enabled in -current | Reply | Flattened | Expanded
Threshold:
Change Help
Related Links
more by tj

Re: OpenSSH: client bug CVE-0216-0777 (mod 6/6)
by Noryungi (noryungi) (noryungi@yahoo.com) on Thu Jan 14 15:58:57 2016 (GMT)
CVE number should be CVE-2016-0777 … no?

Thanks for the heads up.
[ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]
Re: OpenSSH: client bug CVE-0216-0777 (1/1) by phessler on Thu Jan 14 16:04:56 2016 (GMT)
Re: OpenSSH: client bug CVE-0216-0777 (0/4) by XANi on Thu Jan 14 16:24:48 2016 (GMT)
Re: OpenSSH: client bug CVE-0216-0777 (0/0) by Anonymous Coward on Thu Jan 14 17:21:28 2016 (GMT)
Re: OpenSSH: client bug CVE-0216-0777 (1/1) by XANi on Thu Jan 14 18:40:09 2016 (GMT)

Re: OpenSSH: client bug CVE-2016-0777 (mod -2/6)
by Dan Langille (198.148.79.136) (dan@langille.org) on Thu Jan 14 16:25:47 2016 (GMT)
Confirmed by two sources: ‘UseRoaming no’ is the default setting.
[ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]
Re: OpenSSH: client bug CVE-2016-0777 (1/1) by Anonymous Coward on Thu Jan 14 16:57:16 2016 (GMT)
Re: OpenSSH: client bug CVE-2016-0777 (2/2) by Anonymous Coward on Thu Jan 14 17:12:26 2016 (GMT)
Re: OpenSSH: client bug CVE-2016-0777 (0/0) by Dan Langille on Thu Jan 14 17:27:36 2016 (GMT)
Re: OpenSSH: client bug CVE-2016-0777 (0/0) by Anonymous Coward on Thu Jan 14 17:09:12 2016 (GMT)
Re: OpenSSH: client bug CVE-2016-0777 (1/1) by sthen on Thu Jan 14 17:12:22 2016 (GMT)
Re: OpenSSH: client bug CVE-2016-0777 (0/0) by Anonymous Coward on Thu Jan 14 17:23:30 2016 (GMT)
Re: OpenSSH: client bug CVE-2016-0777 (0/0) by Bryce C on Thu Jan 14 17:52:24 2016 (GMT)

Re: OpenSSH: client bug CVE-2016-0777 and CVE-2016-0778 (mod 1/1)
by Anonymous Coward (87.142.8.108) on Thu Jan 14 16:44:27 2016 (GMT)
> Until you are able to patch affected systems, the recommended
> workaround is to use
> # echo ‘UseRoaming no’ >> /etc/ssh/ssh_config

If for some reason your ssh_config ends with a different
Host pattern this might not apply to all targets. No?

[ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]
Re: OpenSSH: client bug CVE-2016-0777 and CVE-2016-0778 (1/3) by phessler on Thu Jan 14 16:59:55 2016 (GMT)

 

Tomado de http://undeadly.org/

Anuncios