Vulnerability Note VU#456088
OpenSSH Client contains a client information leak vulnerability and buffer overflow
OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations.
CWE-200: Information Exposure - CVE-2016-0777
According to the OpenSSH release notes for version 7.1p2 :
The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys.
The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.
CWE-122: Heap-based Buffer Overflow - CVE-2016-0778
According to Qualys, the API functions packet_write_wait() and ssh_packet_write_wait() may overflow in some scenarios after a successful reconnection.
Qualys also notes that:
For more information, please see Qualys's advisory. The CVSS score below is based on CVE-2016-0777.
A user that authenticates to a malicious or compromised server may reveal private data, including the user's private SSH key, or cause a buffer overflow that may lead to remote code execution in certain non-default configurations.
Apply an update
Disable the 'UseRoaming' Feature
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Debian GNU/Linux||Affected||14 Jan 2016||14 Jan 2016|
|Hardened BSD||Affected||14 Jan 2016||14 Jan 2016|
|OpenBSD||Affected||14 Jan 2016||15 Jan 2016|
|OpenSSH||Affected||-||14 Jan 2016|
|Ubuntu||Affected||14 Jan 2016||14 Jan 2016|
|Openwall GNU/*/Linux||Not Affected||14 Jan 2016||20 Jan 2016|
|ACCESS||Unknown||14 Jan 2016||14 Jan 2016|
|Alcatel-Lucent||Unknown||14 Jan 2016||14 Jan 2016|
|Apple||Unknown||14 Jan 2016||14 Jan 2016|
|Arch Linux||Unknown||14 Jan 2016||14 Jan 2016|
|Arista Networks, Inc.||Unknown||14 Jan 2016||14 Jan 2016|
|Aruba Networks||Unknown||14 Jan 2016||14 Jan 2016|
|AT&T||Unknown||14 Jan 2016||14 Jan 2016|
|Avaya, Inc.||Unknown||14 Jan 2016||14 Jan 2016|
|Barracuda Networks||Unknown||14 Jan 2016||14 Jan 2016|
CVSS Metrics (Learn More)
This issue was previously coordinated and publicly disclosed by the Qualys Security Advisory Team.
This document was written by Brian Gardiner and Garret Wassermann.
- CVE IDs: CVE-2016-0777 CVE-2016-0778
- Date Public: 14 Jan 2016
- Date First Published: 14 Jan 2016
- Date Last Updated: 20 Jan 2016
- Document Revision: 45
If you have feedback, comments, or additional information about this vulnerability, please send us email.