The OpenSSH project released an ssh client bug info that can leak private keys to malicious servers. A man-in-the-middle kind of attack identified and fixed in OpenSSH are dubbed CVE-2016-0777 and CVE-2016-0778. How do I fix OpenSSH's client vulnerability on a Linux or Unix-like operating system?
A serious security problem has been found and patched in the OpenSSH software. Two vulnerabilities have been discovered in OpenSSH on 14/Jan/2016. The Common Vulnerabilities and Exposures project identifies the following issues:
Finally, to bring your system up-to-date, run:
A serious security problem has been found and patched in the OpenSSH software. Two vulnerabilities have been discovered in OpenSSH on 14/Jan/2016. The Common Vulnerabilities and Exposures project identifies the following issues:
- Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 - All OpenSSH versions between 5.4 and 7.1 are vulnerable.
- CVE-2016-0777 - An information leak (memory disclosure) can be exploited by a rogue SSH server to trick a client into leaking sensitive data from the client memory, including for example private keys.
- CVE-2016-0778 - A buffer overflow (leading to file descriptor leak), can also be exploited by a rogue SSH server, but due to another bug in the code is possibly not exploitable, and only under certain conditions (not the default configuration), when using ProxyCommand, ForwardAgent or ForwardX11.
In this tutorial you will learn how to fix OpenSSH's client and server bugs CVE-2016-0777 and CVE-2016-0778 on a Linux or Unix-like system including bug verification at the end of the tutorial.
How to find openssh version on a Linux or Unix-like system?
The syntax is as follows to find openssh version on a CentOS/RHEL/SL:
The syntax is as follows to find openssh version on a Debian/Ubuntu Linux:
Sample outputs:
A list of affected Linux distros
# yum list installed openssh\*
The syntax is as follows to find openssh version on a Debian/Ubuntu Linux:
$ dpkg --list | grep openssh
### OR ###
$ dpkg --list openssh\*
Sample outputs:
A list of affected Linux distros
- CentOS Linux 7.x
- RHEL (RedHat Enterprise Linux) 7.x
- Debian Linux (squeeze, wheezy, jessie, stretch, and sid release)
- Ubuntu Linux 15.10
- Ubuntu Linux 15.04
- Ubuntu Linux 14.04 LTS
- Ubuntu Linux 12.04 LTS
- SUSE Linux Enterprise Server 12 (SLES 12)
- SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
- SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
- SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
- openSUSE 13.2
- openSUSE Leap 42.1
Fix #1: How to apply hot-fix to fix the isssue (CVE-2016-0777)
Type the command as per your Linux or Unix variant:
Fix openssh on FreeBSD
## First be root and run command ## sudo -s echo 'UseRoaming no' >> /etc/ssh/ssh_config
Fix openssh on Linux
## run as root via sudo ## echo 'UseRoaming no' | sudo tee -a /etc/ssh/ssh_config
Fix openssh on Apple Mac OS X
## run as normal user ## echo "UseRoaming no" >> ~/.ssh/config
Fix openssh on OpenBSD
## run as root ## echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config
All of the above commands add the option UseRoaming no to your /etc/ssh/ssh_configor ~/.ssh/config ssh client config file. Of course your can start your ssh client session with the following command to to avoid this bug:
$ ssh -oUseRoaming=no vivek@server1.cyberciti.biz
$ ssh -oUseRoaming=no root@v.server1
Fix #2: Upgrade your openssh to fix CVE-2016-0778
To fix CVE-2016-0777 simply upgrade all your packages or as a minimum upgrade openssh-server and openssh-client package:
Debian/Ubuntu/Mint Linux
Type the following apt-get command to update openssh:
OR
Sample outputs:
$ sudo apt-get update
$ sudo apt-get upgrade
OR
$ sudo apt-get update
$ sudo apt-get install openssh-client openssh-server openssh-sftp-server
Sample outputs:
Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: ssh-askpass libpam-ssh monkeysphere rssh molly-guard ufw The following packages will be upgraded: openssh-client openssh-server openssh-sftp-server 3 upgraded, 0 newly installed, 0 to remove and 16 not upgraded. Need to get 1,060 kB of archives. After this operation, 238 kB disk space will be freed. Get:1 http://security.debian.org/ jessie/updates/main openssh-sftp-server amd64 1:6.7p1-5+deb8u1 [38.0 kB] Get:2 http://security.debian.org/ jessie/updates/main openssh-server amd64 1:6.7p1-5+deb8u1 [331 kB] Get:3 http://security.debian.org/ jessie/updates/main openssh-client amd64 1:6.7p1-5+deb8u1 [691 kB] Fetched 1,060 kB in 2s (371 kB/s) Reading changelogs... Done Preconfiguring packages ... (Reading database ... 84547 files and directories currently installed.) Preparing to unpack .../openssh-sftp-server_1%3a6.7p1-5+deb8u1_amd64.deb ... Unpacking openssh-sftp-server (1:6.7p1-5+deb8u1) over (1:6.7p1-5) ... Preparing to unpack .../openssh-server_1%3a6.7p1-5+deb8u1_amd64.deb ... Unpacking openssh-server (1:6.7p1-5+deb8u1) over (1:6.7p1-5) ... Preparing to unpack .../openssh-client_1%3a6.7p1-5+deb8u1_amd64.deb ... Unpacking openssh-client (1:6.7p1-5+deb8u1) over (1:6.7p1-5) ... Processing triggers for man-db (2.7.0.2-5) ... Processing triggers for systemd (215-17+deb8u2) ... Setting up openssh-client (1:6.7p1-5+deb8u1) ... Setting up openssh-sftp-server (1:6.7p1-5+deb8u1) ... Setting up openssh-server (1:6.7p1-5+deb8u1) ...
SL/RHEL/CentOS Linux
Fedora Linux
Type the following dnf command to patch and update openssh:
$ sudo dnf update
FreeBSD unix user
Type the following two command to apply binary patches:
# freebsd-update fetch
# freebsd-update install
SUSE Enterprise Linux
SUSE Linux Enterprise Server 12-SP1:
SUSE Linux Enterprise Server 12:
SUSE Linux Enterprise Desktop 12-SP1:
SUSE Linux Enterprise Desktop 12:
Finally, to bring your system up-to-date, run:
# zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-85=1
SUSE Linux Enterprise Server 12:
# zypper in -t patch SUSE-SLE-SERVER-12-2016-85=1
SUSE Linux Enterprise Desktop 12-SP1:
# zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-85=1
SUSE Linux Enterprise Desktop 12:
# zypper in -t patch SUSE-SLE-DESKTOP-12-2016-85=1
Finally, to bring your system up-to-date, run:
# zypper patch
openSUSE Leap 42.1
# zypper in -t patch openSUSE-2016-38=1
Finally, to bring your system up-to-date, run:
# zypper patch
Do I need to reboot my server/laptop/computer powered by Linux or Unix?
No.
Verify if system is still affected after openssh updates
To check if your system is affected you can simply run:
Sample outputs:
The message debug1: Roaming not allowed by server indicates that your system is affected. You will not see this debug message if you applied patches as explained earlier.
$ ssh -v user@server
$ ssh -v vivek@server1.cyberciti.biz
Sample outputs:
The message debug1: Roaming not allowed by server indicates that your system is affected. You will not see this debug message if you applied patches as explained earlier.
No comments :
Post a Comment