OpenSSH Exploit Plugged, but Damage May Already Be Done

A major vulnerability has just been found in one of the most widely used versions of the secure shell protocol. Older versions of OpenSSH are vulnerable to attacks whereby malicious servers can force users to leak their private keys.

Researchers at Qualys, a cloud-based security company, discovered the vulnerability on January 11 and released an advisory about it yesterday. The exploit applies to every version of OpenSSH from 5.4 to 7.1. The bug has been corrected in OpenSSH 7.1p2, the latest version of the software, according to a separate advisory from OpenSSH (Image: Logo: OpenSSH).

Turn Off Roaming

Users who may be vulnerable to the attack are urged to upgrade to the latest version of OpenSSH as soon as possible, according to the advisory. For anyone unable to update to the latest version, the vulnerable code can also be completely disabled by adding 'UseRoaming no' to the gobal ssh_config(5) file or to the user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.

At the heart of the vulnerability is an undocumented feature called ?EU?roaming" that has been supported ever since OpenSSH 5.4 was released in 2010. The exploit requires an attacker to have access to a malicious SSH server. For the exploit to work, the user must have already been successfully authenticated, which reduces the likelihood of an attack.

?EU?The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys,?EU? according to the researchers. ?EU?The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.?EU?

Nevertheless, sophisticated and determined attackers could take advantage of the exploit, and may have already done...

Comments are closed.