New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
OpenSSH bug of the week
http://undeadly.org/cgi?action=article&sid=20160114142733
OpenSSH: client bug CVE-0216-0778
Contributed by tj on Thu Jan 14 15:41:37 2016 (GMT)
from the i-have-a-fviend-in-Vome dept.
This is the most serious bug you'll hear about this week: The issue dubbed CVE-0216-0778 has been identified and fixed in the OpenSSH.
An early heads up came from Theo de Raadt in this mailing list posting.
Until you are able to patch affected systems, the recommended workaround is to use
# echo 'UseRoaming no' >> /etc/ssh/ssh_config
Comments
More details: http://www.openssh.com/txt/release-7.1p2
contains experimential support for resuming SSH-connections (roaming).
code was enabled by default and could be tricked by a malicious
server into leaking client memory to the server, including private
client user keys.
by a man-in-the-middle, so this information leak is restricted
to connections to malicious or compromised servers.
can be completely disabled by adding 'UseRoaming no' to the gobal
ssh_config(5) file, or to user configuration in ~/.ssh/config,
or by passing -oUseRoaming=no on the command line.
Roaming in the Source Code).
debian got on it already:
Updated. Thanks!
The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.
So it is not so scary, is it?
The information leak can happen if you connect to any untrusted server. If you only connect to servers that you have already connected to it's okay, but e.g. someone can give you connection details and probably trick you into connecting (please help me install blah?).
A good reason to have a system you don't care about that you use to run "ssh -v" for diagnostics. I figured I was paranoid
I use "-v" all the time, except when I forget it.
Thanks for the heads up. I panicked a bit and updated everything I could and applied the workaround as well. Later I realized that it was the OpenSSH client that was affected. I never used it.
https://www.digitalocean.com/community/questions/openssh-client-bug-cve-2016-0777-and-cve-2016-0778
A little something Ryan put together for this. Quick mitigation against the issue