Bug 1298032 (CVE-2016-0777)
Summary: | CVE-2016-0777 OpenSSH: Client Information leak due to use of roaming connection feature | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | carnil, fedora, fhirtz, jaeshin, jjelen, jonathan.moore, jrusnack, mattias.ellert, mjc, redhat-bugzilla, sardella, security-response-team, slawomir, thughes, tmraz, trevor.hemsley | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | openssh 7.1p2 | Doc Type: | Bug Fix | ||||
Doc Text: |
An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-01-14 20:54:54 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1298217, 1298218, 1298626, 1298817, 1298818 | ||||||
Bug Blocks: | 1298034 | ||||||
Attachments: |
|
Description
Huzaifa S. Sidhpurwala
2016-01-13 03:41:49 UTC
Mitigation: 1. The vulnerable roaming code can be permanently disabled by adding the undocumented option "UseRoaming no" to the system-wide configuration file (usually /etc/ssh/ssh_config), or per-user configuration file (~/.ssh/config), or command-line (-o "UseRoaming no"). 2. If an OpenSSH client is disconnected from an SSH server that offers roaming, it prints "[connection suspended, press return to resume]" on stderr, and waits for '\n' or '\r' on stdin (and not on the controlling terminal) before it reconnects to the server; advanced users may become suspicious and press Control-C or Control-Z instead, thus avoiding the information leak. However, SSH commands that use the local stdin to transfer data to the remote server are bound to trigger this reconnection automatically (upon reading a '\n' or '\r' from stdin). Moreover, these non-interactive SSH commands (for example, backup scripts and cron jobs) commonly employ public-key authentication and are therefore perfect targets for this information leak. The "roaming" feature of OpenSSH clients was introduced in OpenSSH-5.4. Therefore Red Hat Enterprise Linux 4, 5, and 6 are not affected by this flaw. OpenSSH-6.6 is vulnerable to this issue but only when used with "ProxyCommands" not in a default configuration, therefore the version of OpenSSH shipped with Red Hat Enterprise Linux 7 is affected by this flaw. Also Red Hat Enterprise Linux 4, 5, 6 and 7 does not enable this "roaming" feature on the server side. Statement: This issue does not affect the version OpenSSH as shipped with Red Hat Enterprise Linux 4, 5 and 6. This issue affects the version of OpenSSH as shipped with Red Hat Enterprise Linux 7 in a non-default configuration. For more information please refer to https://access.redhat.com/articles/2123781 External References: https://access.redhat.com/articles/2123781 https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt http://www.openssh.com/txt/release-7.1p2 Created attachment 1114690 [details]
Upstream patch
This is the fix that is expected to be published by upstream later today. It disabled the roaming feature.
Acknowledgements: Red Hat would like to thank Qualys for reporting this issue. This is now public via https://twitter.com/phessler/status/687651384360091649 and https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034680.html Created openssh tracking bugs for this issue: Affects: fedora-all [bug 1298626] Fixed upstream in 7.1p2: http://www.openssh.com/txt/release-7.1p2 Upstream commit: https://anongit.mindrot.org/openssh.git/commit/?id=e6c85f8889c5c9eb04796fdb76d2807636b9eef5 A detailed analysis of this issue was published by Qualys at: https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt After disabling roaming for the 7.1p2 security release, upstream already proceeded to removing roaming support completely in the CVS: http://marc.info/?l=openbsd-cvs&m=145278862023945 Why does the openssh-clients-5.3p1-112.el6_7.x86_64 copy of ssh contain the string "useroaming" if it's not affected by this bug? Could Redhat have helpfully backported this functionality from 5.4p1 to 5.3p1? This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0043 https://rhn.redhat.com/errata/RHSA-2016-0043.html (In reply to Trevor Hemsley from comment #16) > Why does the openssh-clients-5.3p1-112.el6_7.x86_64 copy of ssh contain the > string "useroaming" if it's not affected by this bug? Could Redhat have > helpfully backported this functionality from 5.4p1 to 5.3p1? There's no Red Hat specific backport. Upstream 5.3 already added some roaming related code, apparently in preparation for addition of the client side implementation in 5.4. 5.3 recognizes UseRoaming option, but does not use it in any way. Created gsi-openssh tracking bugs for this issue: Affects: fedora-all [bug 1298817] Affects: epel-7 [bug 1298818] (In reply to Tomas Hoger from comment #18) > (In reply to Trevor Hemsley from comment #16) > > Why does the openssh-clients-5.3p1-112.el6_7.x86_64 copy of ssh contain the > > string "useroaming" if it's not affected by this bug? Could Redhat have > > helpfully backported this functionality from 5.4p1 to 5.3p1? > > There's no Red Hat specific backport. Upstream 5.3 already added some > roaming related code, apparently in preparation for addition of the client > side implementation in 5.4. 5.3 recognizes UseRoaming option, but does not > use it in any way. I had a client who noticed similar and had a look prior to seeing this. To confirm, the option parser in the RHEL6 version recognizes UseRoaming, but the option isn't used anywhere. openssh-7.1p2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. openssh-6.9p1-10.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. gsi-openssh-7.1p2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. gsi-openssh-6.9p1-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. gsi-openssh-6.6.1p1-3.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. |