An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client.
Find out more about CVE-2016-0777 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue does not affect the version OpenSSH as shipped with Red Hat Enterprise Linux 4, 5 and 6. This issue affects the version of OpenSSH as shipped with Red Hat Enterprise Linux 7 in a non-default configuration. For more information please refer to https://access.redhat.com/articles/2123781
Base Score | 4.3 |
---|---|
Base Metrics | AV:N/AC:M/Au:N/C:P/I:N/A:N |
Access Vector | Network |
Access Complexity | Medium |
Authentication | None |
Confidentiality Impact | Partial |
Integrity Impact | None |
Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Platform | Errata | Release Date |
---|---|---|
Red Hat Enterprise Linux 7 (openssh) | RHSA-2016:0043 | 2016-01-14 |
Platform | Package | State |
---|---|---|
Red Hat Enterprise Linux 6 | openssh | Not affected |
Red Hat Enterprise Linux 5 | openssh | Not affected |
Red Hat Enterprise Linux 4 | openssh | Not affected |
1. The vulnerable roaming code can be permanently disabled by adding the
undocumented option "UseRoaming no" to the system-wide configuration
file (usually /etc/ssh/ssh_config), or per-user configuration file
(~/.ssh/config), or command-line (-o "UseRoaming no").
2. If an OpenSSH client is disconnected from an SSH server that offers
roaming, it prints "[connection suspended, press return to resume]" on
stderr, and waits for '\n' or '\r' on stdin (and not on the controlling
terminal) before it reconnects to the server; advanced users may become
suspicious and press Control-C or Control-Z instead, thus avoiding the
information leak.
However, SSH commands that use the local stdin to transfer data to the
remote server are bound to trigger this reconnection automatically (upon
reading a '\n' or '\r' from stdin). Moreover, these non-interactive SSH
commands (for example, backup scripts and cron jobs) commonly employ
public-key authentication and are therefore perfect targets for this
information leak.