Vulnerability Note VU#456088
OpenSSH Client contains a client information leak vulnerability and buffer overflow
Overview
OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations.
Description
CWE-200: Information Exposure - CVE-2016-0777 According to the OpenSSH release notes for version 7.1p2 :
The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys. The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers. CWE-122: Heap-based Buffer Overflow - CVE-2016-0778 According to Qualys, the API functions packet_write_wait() and ssh_packet_write_wait() may overflow in some scenarios after a successful reconnection. Qualys also notes that:
For more information, please see Qualys's advisory. The CVSS score below is based on CVE-2016-0777. |
Impact
A user that authenticates to a malicious or compromised server may reveal private data, including the user's private SSH key, or cause a buffer overflow that may lead to remote code execution in certain non-default configurations. |
Solution
Apply an update |
Disable the 'UseRoaming' Feature |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Debian GNU/Linux | Affected | 14 Jan 2016 | 14 Jan 2016 |
Hardened BSD | Affected | 14 Jan 2016 | 14 Jan 2016 |
OpenBSD | Affected | 14 Jan 2016 | 15 Jan 2016 |
OpenSSH | Affected | - | 14 Jan 2016 |
Ubuntu | Affected | 14 Jan 2016 | 14 Jan 2016 |
Openwall GNU/*/Linux | Not Affected | 14 Jan 2016 | 20 Jan 2016 |
ACCESS | Unknown | 14 Jan 2016 | 14 Jan 2016 |
Alcatel-Lucent | Unknown | 14 Jan 2016 | 14 Jan 2016 |
Apple | Unknown | 14 Jan 2016 | 14 Jan 2016 |
Arch Linux | Unknown | 14 Jan 2016 | 14 Jan 2016 |
Arista Networks, Inc. | Unknown | 14 Jan 2016 | 14 Jan 2016 |
Aruba Networks | Unknown | 14 Jan 2016 | 14 Jan 2016 |
AT&T | Unknown | 14 Jan 2016 | 14 Jan 2016 |
Avaya, Inc. | Unknown | 14 Jan 2016 | 14 Jan 2016 |
Barracuda Networks | Unknown | 14 Jan 2016 | 14 Jan 2016 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | 4.3 | AV:N/AC:M/Au:N/C:P/I:N/A:N |
Temporal | 3.6 | E:F/RL:OF/RC:C |
Environmental | 2.7 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- http://www.openssh.com/txt/release-7.1p2
- https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt
- http://undeadly.org/cgi?action=article&sid=20160114142733
- https://github.com/openssh/openssh-portable/blob/8408218c1ca88cb17d15278174a24a94a6f65fe1/roaming_client.c#L70
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777
- https://isc.sans.edu/forums/diary/OpenSSH+71p2+released+with+security+fix+for+CVE20160777/20613/
- https://access.redhat.com/articles/2123781
Credit
This issue was previously coordinated and publicly disclosed by the Qualys Security Advisory Team.
This document was written by Brian Gardiner and Garret Wassermann.
Other Information
- CVE IDs: CVE-2016-0777 CVE-2016-0778
- Date Public: 14 Jan 2016
- Date First Published: 14 Jan 2016
- Date Last Updated: 20 Jan 2016
- Document Revision: 45
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.