==================================================================== CERT-Renater Note d'Information No. 2016/VULN022 _____________________________________________________________________ DATE : 14/01/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): OpenSSH clients versions between 5.4 and 7.1. ====================================================================== http://www.openssh.com/security.html http://www.openssh.com/txt/release-7.1p2 https://lists.debian.org/debian-security-announce/2016/msg00015.html http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/010_ssh.patch.sig http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/022_ssh.patch.sig _____________________________________________________________________ January 14, 2016 OpenSSH clients between versions 5.4 and 7.1 are vulnerable to information disclosure that may allow a malicious server to retrieve information including under some circumstances, user's private keys. This may be mitigated by adding the undocumented config option UseRoaming no to ssh_config. For more information see CVE-2016-0777 and CVE-2016-0778. This bug is corrected in OpenSSH 7.1p2 and in OpenBSD's stable branch. For more information, please refer to the release notes. http://www.openssh.com/txt/release-7.1p2 _____________________________________________________________________ OpenSSH 7.1p2 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. OpenSSH also includes transitional support for the legacy SSH 1.3 and 1.5 protocols that may be enabled at compile-time. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Changes since OpenSSH 7.1p1 =========================== * SECURITY: ssh(1): The OpenSSH client code between 5.4 and 7.1 contains experimential support for resuming SSH-connections (roaming). The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys. The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers. MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the gobal ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line. PATCH: See below for a patch to disable this feature (Disabling Roaming in the Source Code). This problem was reported by the Qualys Security Advisory team. * SECURITY: Eliminate the fallback from untrusted X11-forwarding to trusted forwarding for cases when the X server disables the SECURITY extension. Reported by Thomas Hoger. * SECURITY: Fix an out of-bound read access in the packet handling code. Reported by Ben Hawkes. * PROTOCOL: Correctly interpret the 'first_kex_follows' option during the intial key exchange. Reported by Matt Johnston. * Further use of explicit_bzero has been added in various buffer handling code paths to guard against compilers aggressively doing dead-store removal. Checksums: ========== - SHA1 (openssh-7.1p2.tar.gz) = 9202f5a2a50c8a55ecfb830609df1e1fde97f758 - SHA256 (openssh-7.1p2.tar.gz) = dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available as RELEASE_KEY.asc from the mirror sites. Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom. Disabling Roaming in the Source Code: ===================================== --- readconf.c 30 Jul 2015 00:01:34 -0000 1.239 +++ readconf.c 13 Jan 2016 23:17:23 -0000 @@ -1648,7 +1648,7 @@ initialize_options(Options * options) options->tun_remote = -1; options->local_command = NULL; options->permit_local_command = -1; - options->use_roaming = -1; + options->use_roaming = 0; options->visual_host_key = -1; options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; @@ -1819,8 +1819,7 @@ fill_default_options(Options * options) options->tun_remote = SSH_TUNID_ANY; if (options->permit_local_command == -1) options->permit_local_command = 0; - if (options->use_roaming == -1) - options->use_roaming = 1; + options->use_roaming = 0; if (options->visual_host_key == -1) options->visual_host_key = 0; if (options->ip_qos_interactive == -1) --- ssh.c 30 Jul 2015 00:01:34 -0000 1.420 +++ ssh.c 13 Jan 2016 23:17:23 -0000 @@ -1882,9 +1882,6 @@ ssh_session2(void) fork_postauth(); } - if (options.use_roaming) - request_roaming(); - return client_loop(tty_flag, tty_flag ? options.escape_char : SSH_ESCAPECHAR_NONE, id); } _____________________________________________________________________ - ------------------------------------------------------------------------- Debian Security Advisory DSA-3446-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez January 14, 2016 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openssh CVE ID : CVE-2016-0777 CVE-2016-0778 Debian bug : 810984 The Qualys Security team discovered two vulnerabilities in the roaming code of the OpenSSH client (an implementation of the SSH protocol suite). SSH roaming enables a client, in case an SSH connection breaks unexpectedly, to resume it at a later time, provided the server also supports it. The OpenSSH server doesn't support roaming, but the OpenSSH client supports it (even though it's not documented) and it's enabled by default. CVE-2016-0777 An information leak (memory disclosure) can be exploited by a rogue SSH server to trick a client into leaking sensitive data from the client memory, including for example private keys. CVE-2016-0778 A buffer overflow (leading to file descriptor leak), can also be exploited by a rogue SSH server, but due to another bug in the code is possibly not exploitable, and only under certain conditions (not the default configuration), when using ProxyCommand, ForwardAgent or ForwardX11. This security update completely disables the roaming code in the OpenSSH client. It is also possible to disable roaming by adding the (undocumented) option 'UseRoaming no' to the global /etc/ssh/ssh_config file, or to the user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line. Users with passphrase-less privates keys, especially in non interactive setups (automated jobs using ssh, scp, rsync+ssh etc.) are advised to update their keys if they have connected to an SSH server they don't trust. More details about identifying an attack and mitigations will be available in the Qualys Security Advisory. For the oldstable distribution (wheezy), these problems have been fixed in version 1:6.0p1-4+deb7u3. For the stable distribution (jessie), these problems have been fixed in version 1:6.7p1-5+deb8u1. For the testing distribution (stretch) and unstable distribution (sid), these problems will be fixed in a later version. We recommend that you upgrade your openssh packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ _____________________________________________________________________ OpenBSD 5.8 errata 10, Jan 14, 2016: Experimental roaming code in the ssh client could be tricked by a hostile sshd server, potentially leaking key material. CVE-2016-0777 and CVE-0216-0778. Prevent this problem immediately by adding the line "UseRoaming no" to /etc/ssh/ssh_config. Apply by doing: signify -Vep /etc/signify/openbsd-58-base.pub -x 010_ssh.patch.sig \ -m - | (cd /usr/src && patch -p0) And then rebuild and install sshd: cd /usr/src/usr.bin/ssh make obj make depend make make install Index: usr.bin/ssh/readconf.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/readconf.c,v retrieving revision 1.239 diff -u -p -r1.239 readconf.c --- usr.bin/ssh/readconf.c 30 Jul 2015 00:01:34 -0000 1.239 +++ usr.bin/ssh/readconf.c 13 Jan 2016 23:17:23 -0000 @@ -1648,7 +1648,7 @@ initialize_options(Options * options) options->tun_remote = -1; options->local_command = NULL; options->permit_local_command = -1; - options->use_roaming = -1; + options->use_roaming = 0; options->visual_host_key = -1; options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; @@ -1819,8 +1819,7 @@ fill_default_options(Options * options) options->tun_remote = SSH_TUNID_ANY; if (options->permit_local_command == -1) options->permit_local_command = 0; - if (options->use_roaming == -1) - options->use_roaming = 1; + options->use_roaming = 0; if (options->visual_host_key == -1) options->visual_host_key = 0; if (options->ip_qos_interactive == -1) Index: usr.bin/ssh/ssh.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh.c,v retrieving revision 1.420 diff -u -p -r1.420 ssh.c --- usr.bin/ssh/ssh.c 30 Jul 2015 00:01:34 -0000 1.420 +++ usr.bin/ssh/ssh.c 13 Jan 2016 23:17:23 -0000 @@ -1882,9 +1882,6 @@ ssh_session2(void) fork_postauth(); } - if (options.use_roaming) - request_roaming(); - return client_loop(tty_flag, tty_flag ? options.escape_char : SSH_ESCAPECHAR_NONE, id); } _____________________________________________________________________ OpenBSD 5.7 errata 22, Jan 14, 2016: Experimental roaming code in the ssh client could be tricked by a hostile sshd server, potentially leaking key material. CVE-2016-0777 and CVE-0216-0778. Prevent this problem immediately by adding the line "UseRoaming no" to /etc/ssh/ssh_config. Apply by doing: signify -Vep /etc/signify/openbsd-57-base.pub -x 022_ssh.patch.sig \ -m - | (cd /usr/src && patch -p0) And then rebuild and install sshd: cd /usr/src/usr.bin/ssh make obj make depend make make install Index: usr.bin/ssh/readconf.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/readconf.c,v retrieving revision 1.232 diff -u -p -r1.232 readconf.c --- usr.bin/ssh/readconf.c 16 Feb 2015 22:13:32 -0000 1.232 +++ usr.bin/ssh/readconf.c 13 Jan 2016 23:16:03 -0000 @@ -1648,7 +1648,7 @@ initialize_options(Options * options) options->tun_remote = -1; options->local_command = NULL; options->permit_local_command = -1; - options->use_roaming = -1; + options->use_roaming = 0; options->visual_host_key = -1; options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; @@ -1821,8 +1821,7 @@ fill_default_options(Options * options) options->tun_remote = SSH_TUNID_ANY; if (options->permit_local_command == -1) options->permit_local_command = 0; - if (options->use_roaming == -1) - options->use_roaming = 1; + options->use_roaming = 0; if (options->visual_host_key == -1) options->visual_host_key = 0; if (options->ip_qos_interactive == -1) Index: usr.bin/ssh/ssh.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh.c,v retrieving revision 1.416 diff -u -p -r1.416 ssh.c --- usr.bin/ssh/ssh.c 3 Mar 2015 06:48:58 -0000 1.416 +++ usr.bin/ssh/ssh.c 13 Jan 2016 23:16:03 -0000 @@ -1879,9 +1879,6 @@ ssh_session2(void) fork_postauth(); } - if (options.use_roaming) - request_roaming(); - return client_loop(tty_flag, tty_flag ? options.escape_char : SSH_ESCAPECHAR_NONE, id); } ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================