search menu icon-carat-right cmu-wordmark

CERT Coordination Center

OpenSSH Client contains a client information leak vulnerability and buffer overflow

Vulnerability Note VU#456088

Original Release Date: 2016-01-14 | Last Revised: 2016-01-20

Overview

OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations.

Description

CWE-200: Information Exposure - CVE-2016-0777

According to the OpenSSH release notes for version 7.1p2 :

 The OpenSSH client code between 5.4 and 7.1 contains experimental support for resuming SSH-connections (roaming).

The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys.

The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.

CWE-122: Heap-based Buffer Overflow - CVE-2016-0778

According to Qualys, the API functions packet_write_wait() and ssh_packet_write_wait() may overflow in some scenarios after a successful reconnection.

Qualys also notes that:

    The buffer overflow, on the other hand, is present in the default configuration of the OpenSSH client but its exploitation requires two non-default options: a ProxyCommand, and either ForwardAgent (-A) or ForwardX11 (-X). This buffer overflow is therefore unlikely to have any real-world impact, but provides a particularly interesting case study.

For more information, please see Qualys's advisory. The CVSS score below is based on CVE-2016-0777.

Impact

A user that authenticates to a malicious or compromised server may reveal private data, including the user's private SSH key, or cause a buffer overflow that may lead to remote code execution in certain non-default configurations.

Solution

Apply an update

OpenSSH 7.1p2 has released to address these issues. Affected users are recommended to update as soon as possible.

If update is currently not an option, you may consider the following workaround:

Disable the 'UseRoaming' Feature

The vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the global ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.

Vendor Information

456088
 
Affected   Unknown   Unaffected

Debian GNU/Linux

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://security-tracker.debian.org/tracker/CVE-2016-0777 https://security-tracker.debian.org/tracker/CVE-2016-0778

Hardened BSD

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

"We released new versions with the workaround:

https://github.com/HardenedBSD/hardenedBSD-stable/commit/831e4682e627882dec74300
52af7b74541aa79dc
https://github.com/HardenedBSD/hardenedBSD/commit/efa4e9c808a18c3f6c291981d1a463
b10ba8c514

Fixed in these version:
https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedBSD-10-ST
ABLE-v39.1
https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedBSD-11-CU
RRENT-v39.2"

OpenBSD

Notified:  January 14, 2016 Updated:  January 15, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

OpenBSD has patches available:

Vendor References

http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/010_ssh.patch.sig http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/022_ssh.patch.sig

OpenSSH

Updated:  January 14, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.openssh.com/txt/release-7.1p2

Ubuntu

Notified:  January 14, 2016 Updated:  January 14, 2016

Statement Date:   January 14, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Updates are now available for supported releases.

Vendor References

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/OpenSSHClientRoaming http://www.ubuntu.com/usn/usn-2869-1/

Openwall GNU/*/Linux

Notified:  January 14, 2016 Updated:  January 20, 2016

Statement Date:   January 19, 2016

Status

  Not Affected

Vendor Statement

"Openwall GNU/*/Linux is not affected. We're using a fork of an older version of OpenSSH, from prior to the introduction of the roaming feature."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

AT&T

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Alcatel-Lucent

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Apple

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Arch Linux

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Arista Networks, Inc.

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Aruba Networks

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Avaya, Inc.

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Barracuda Networks

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Belkin, Inc.

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Blue Coat Systems

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Brocade Communication Systems

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CA Technologies

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CentOS

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Check Point Software Technologies

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Cisco

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CoreOS

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

D-Link Systems, Inc.

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DesktopBSD

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DragonFly BSD Project

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

EMC Corporation

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Enterasys Networks

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ericsson

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

European Registry for Internet Domains

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Extreme Networks

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

F5 Networks, Inc.

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Fedora Project

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Force10 Networks

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Fortinet, Inc.

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Foundry Brocade

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

FreeBSD Project

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

GNU adns

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

GNU glibc

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Gentoo Linux

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Google

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hewlett Packard Enterprise

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hitachi

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Huawei Technologies

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IBM eServer

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Infoblox

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Intel Corporation

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Internet Systems Consortium

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Internet Systems Consortium - DHCP

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

JH Software

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Juniper Networks

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

McAfee

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Microsoft Corporation

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NEC Corporation

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NLnet Labs

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NetBSD

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Nokia

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Nominum

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OmniTI

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OpenDNS

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Oracle Corporation

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

PC-BSD

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Peplink

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

PowerDNS

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Q1 Labs

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

QNX Software Systems Inc.

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Red Hat, Inc.

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SUSE Linux

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SafeNet

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Secure64 Software Corporation

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Slackware Linux Inc.

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SmoothWall

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Snort

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sony Corporation

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sourcefire

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Symantec

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

TippingPoint Technologies Inc.

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Turbolinux

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Unisys

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

VMware

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Wind River

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

ZyXEL

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

dnsmasq

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

gdnsd

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

m0n0wall

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

openSUSE project

Notified:  January 14, 2016 Updated:  January 14, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

View all 86 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N
Temporal 3.6 E:F/RL:OF/RC:C
Environmental 2.7 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

This issue was previously coordinated and publicly disclosed by the Qualys Security Advisory Team.

This document was written by Brian Gardiner and Garret Wassermann.

Other Information

CVE IDs: CVE-2016-0777, CVE-2016-0778
Date Public: 2016-01-14
Date First Published: 2016-01-14
Date Last Updated: 2016-01-20 19:49 UTC
Document Revision: 45

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.