4.6 - VU#456088

Executive Summary

Summary
Title	OpenSSH Client contains a client information leak vulnerability and buffer overflow

Informations
Name	VU#456088	First vendor Publication	2016-01-14
Vendor	VU-CERT	Last vendor Modification	2016-01-20
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:S/C:P/I:P/A:P)
Cvss Base Score	4.6	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	High
Cvss Expoit Score	3.9	Authentication	Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#456088

OpenSSH Client contains a client information leak vulnerability and buffer overflow

Original Release date: 14 Jan 2016 | Last revised: 20 Jan 2016

Overview

OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations.

Description

CWE-200: Information Exposure - CVE-2016-0777

According to the OpenSSH release notes for version 7.1p2 :

The OpenSSH client code between 5.4 and 7.1 contains experimental support for resuming SSH-connections (roaming).

The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys.

The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.

CWE-122: Heap-based Buffer Overflow - CVE-2016-0778

According to Qualys, the API functions packet_write_wait() and ssh_packet_write_wait() may overflow in some scenarios after a successful reconnection.

Qualys also notes that:

The buffer overflow, on the other hand, is present in the default configuration of the OpenSSH client but its exploitation requires two non-default options: a ProxyCommand, and either ForwardAgent (-A) or ForwardX11 (-X). This buffer overflow is therefore unlikely to have any real-world impact, but provides a particularly interesting case study.

For more information, please see Qualys's advisory. The CVSS score below is based on CVE-2016-0777.

Impact

A user that authenticates to a malicious or compromised server may reveal private data, including the user's private SSH key, or cause a buffer overflow that may lead to remote code execution in certain non-default configurations.

Solution

Apply an update

OpenSSH 7.1p2 has released to address these issues. Affected users are recommended to update as soon as possible.

If update is currently not an option, you may consider the following workaround:

Disable the 'UseRoaming' Feature

The vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the global ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Debian GNU/Linux	Affected	14 Jan 2016	14 Jan 2016
Hardened BSD	Affected	14 Jan 2016	14 Jan 2016
OpenBSD	Affected	14 Jan 2016	15 Jan 2016
OpenSSH	Affected	-	14 Jan 2016
Ubuntu	Affected	14 Jan 2016	14 Jan 2016
Openwall GNU/*/Linux	Not Affected	14 Jan 2016	20 Jan 2016
ACCESS	Unknown	14 Jan 2016	14 Jan 2016
Alcatel-Lucent	Unknown	14 Jan 2016	14 Jan 2016
Apple	Unknown	14 Jan 2016	14 Jan 2016
Arch Linux	Unknown	14 Jan 2016	14 Jan 2016
Arista Networks, Inc.	Unknown	14 Jan 2016	14 Jan 2016
Aruba Networks	Unknown	14 Jan 2016	14 Jan 2016
AT&T	Unknown	14 Jan 2016	14 Jan 2016
Avaya, Inc.	Unknown	14 Jan 2016	14 Jan 2016
Barracuda Networks	Unknown	14 Jan 2016	14 Jan 2016

If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group	Score	Vector
Base	4.3	AV:N/AC:M/Au:N/C:P/I:N/A:N
Temporal	3.6	E:F/RL:OF/RC:C
Environmental	2.7	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

http://www.openssh.com/txt/release-7.1p2
https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt
http://undeadly.org/cgi?action=article&sid=20160114142733
https://github.com/openssh/openssh-portable/blob/8408218c1ca88cb17d15278174a24a94a6f65fe1/roaming_client.c#L70
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777
https://isc.sans.edu/forums/diary/OpenSSH+71p2+released+with+security+fix+for+CVE20160777/20613/
https://access.redhat.com/articles/2123781

Credit

This issue was previously coordinated and publicly disclosed by the Qualys Security Advisory Team.

This document was written by Brian Gardiner and Garret Wassermann.

Other Information

CVE IDs:CVE-2016-0777CVE-2016-0778
Date Public:14 Jan 2016
Date First Published:14 Jan 2016
Date Last Updated:20 Jan 2016
Document Revision:45

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/456088

CWE : Common Weakness Enumeration

%	Id	Name
50 %	CWE-200	Information Exposure
50 %	CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

Type	Description	Count
Application	Apple Mac Os X cpe:2.3:a:apple:mac_os_x:10.5.6:::::::* cpe:2.3:a:apple:mac_os_x::::::::	2
Application	Openbsd Openssh cpe:2.3:a:openbsd:openssh:7.1:p1:::::: cpe:2.3:a:openbsd:openssh:7.1:-:::::: cpe:2.3:a:openbsd:openssh:7.0:p1:::::: cpe:2.3:a:openbsd:openssh:7.0:-:::::: cpe:2.3:a:openbsd:openssh:6.9:-:::::: cpe:2.3:a:openbsd:openssh:6.9:p1:::::: cpe:2.3:a:openbsd:openssh:6.8:-:::::: cpe:2.3:a:openbsd:openssh:6.8:p1:::::: cpe:2.3:a:openbsd:openssh:6.7:-:::::: cpe:2.3:a:openbsd:openssh:6.7:p1:::::: cpe:2.3:a:openbsd:openssh:6.6:-:::::: cpe:2.3:a:openbsd:openssh:6.6:p1:::::: cpe:2.3:a:openbsd:openssh:6.5:p1:::::: cpe:2.3:a:openbsd:openssh:6.5:-:::::: cpe:2.3:a:openbsd:openssh:6.4:p1:::::: cpe:2.3:a:openbsd:openssh:6.4:-:::::: cpe:2.3:a:openbsd:openssh:6.3:p1:::::: cpe:2.3:a:openbsd:openssh:6.3:-:::::: cpe:2.3:a:openbsd:openssh:6.2:-:::::: cpe:2.3:a:openbsd:openssh:6.2:p1:::::: cpe:2.3:a:openbsd:openssh:6.2:p2:::::: cpe:2.3:a:openbsd:openssh:6.1:p1:::::: cpe:2.3:a:openbsd:openssh:6.1:-:::::: cpe:2.3:a:openbsd:openssh:6.0:-:::::: cpe:2.3:a:openbsd:openssh:6.0:p1:::::: cpe:2.3:a:openbsd:openssh:5.9:p1:::::: cpe:2.3:a:openbsd:openssh:5.9:-:::::: cpe:2.3:a:openbsd:openssh:5.8:p1:::::: cpe:2.3:a:openbsd:openssh:5.8:-:::::: cpe:2.3:a:openbsd:openssh:5.7:p1:::::: cpe:2.3:a:openbsd:openssh:5.7:-:::::: cpe:2.3:a:openbsd:openssh:5.6:p1:::::: cpe:2.3:a:openbsd:openssh:5.6:-:::::: cpe:2.3:a:openbsd:openssh:5.5:p1:::::: cpe:2.3:a:openbsd:openssh:5.5:-:::::: cpe:2.3:a:openbsd:openssh:5.4:p1:::::: cpe:2.3:a:openbsd:openssh:5.4:-::::::	37
Application	Sophos Unified Threat Management Software cpe:2.3:a:sophos:unified_threat_management_software:9.353:::::::* cpe:2.3:a:sophos:unified_threat_management_software:9.318:::::::*	2
Os	Apple Mac Os X cpe:2.3:o:apple:mac_os_x:10.9.5:::::::* cpe:2.3:o:apple:mac_os_x:10.9.4:::::::* cpe:2.3:o:apple:mac_os_x:10.9.3:::::::* cpe:2.3:o:apple:mac_os_x:10.9.2:::::::* cpe:2.3:o:apple:mac_os_x:10.9.1:::::::* cpe:2.3:o:apple:mac_os_x:10.9:::::::* cpe:2.3:o:apple:mac_os_x:10.8.5:::::::* cpe:2.3:o:apple:mac_os_x:10.8.5:supplemental_update:::::: cpe:2.3:o:apple:mac_os_x:10.8.4:::::::* cpe:2.3:o:apple:mac_os_x:10.8.3:::::::* cpe:2.3:o:apple:mac_os_x:10.8.2:::::::* cpe:2.3:o:apple:mac_os_x:10.8.1:::::::* cpe:2.3:o:apple:mac_os_x:10.8.0:::::::* cpe:2.3:o:apple:mac_os_x:10.7.5:::::::* cpe:2.3:o:apple:mac_os_x:10.7.4:::::::* cpe:2.3:o:apple:mac_os_x:10.7.3:::::::* cpe:2.3:o:apple:mac_os_x:10.7.2:::::::* cpe:2.3:o:apple:mac_os_x:10.7.1:::::::* cpe:2.3:o:apple:mac_os_x:10.7.0:::::::* cpe:2.3:o:apple:mac_os_x:10.6.9:::::::* cpe:2.3:o:apple:mac_os_x:10.6.8:::::::* cpe:2.3:o:apple:mac_os_x:10.6.7:::::::* cpe:2.3:o:apple:mac_os_x:10.6.6:::::::* cpe:2.3:o:apple:mac_os_x:10.6.5:::::::* cpe:2.3:o:apple:mac_os_x:10.6.4:::::::* cpe:2.3:o:apple:mac_os_x:10.6.3:::::::* cpe:2.3:o:apple:mac_os_x:10.6.2:::::::* cpe:2.3:o:apple:mac_os_x:10.6.1:::::::* cpe:2.3:o:apple:mac_os_x:10.6.1::server::::: cpe:2.3:o:apple:mac_os_x:10.6.0:::::::* cpe:2.3:o:apple:mac_os_x:10.6:::::::* cpe:2.3:o:apple:mac_os_x:10.6:server:::::: cpe:2.3:o:apple:mac_os_x:10.5.8:::::::* cpe:2.3:o:apple:mac_os_x:10.5.8::server::::: cpe:2.3:o:apple:mac_os_x:10.5.7:::::::* cpe:2.3:o:apple:mac_os_x:10.5.6:::::::* cpe:2.3:o:apple:mac_os_x:10.5.5:::::::* cpe:2.3:o:apple:mac_os_x:10.5.4:::::::* cpe:2.3:o:apple:mac_os_x:10.5.3:::::::* cpe:2.3:o:apple:mac_os_x:10.5.2:::::::* cpe:2.3:o:apple:mac_os_x:10.5.2:2008-002:::::: cpe:2.3:o:apple:mac_os_x:10.5.1:::::::* cpe:2.3:o:apple:mac_os_x:10.5.0:::::::* cpe:2.3:o:apple:mac_os_x:10.5:::::::* cpe:2.3:o:apple:mac_os_x:10.4.9:::::::* cpe:2.3:o:apple:mac_os_x:10.4.8:::::::* cpe:2.3:o:apple:mac_os_x:10.4.8::macbook::::: cpe:2.3:o:apple:mac_os_x:10.4.8::mac_mini::::: cpe:2.3:o:apple:mac_os_x:10.4.8::macbook_pro::::: cpe:2.3:o:apple:mac_os_x:10.4.7:::::::* cpe:2.3:o:apple:mac_os_x:10.4.6:::::::* cpe:2.3:o:apple:mac_os_x:10.4.5:::::::* cpe:2.3:o:apple:mac_os_x:10.4.4:::::::* cpe:2.3:o:apple:mac_os_x:10.4.3:::::::* cpe:2.3:o:apple:mac_os_x:10.4.2:::::::* cpe:2.3:o:apple:mac_os_x:10.4.11:::::::* cpe:2.3:o:apple:mac_os_x:10.4.10:::::::* cpe:2.3:o:apple:mac_os_x:10.4.1:::::::* cpe:2.3:o:apple:mac_os_x:10.4.0:::::::* cpe:2.3:o:apple:mac_os_x:10.4.:::::::* cpe:2.3:o:apple:mac_os_x:10.4:::::::* cpe:2.3:o:apple:mac_os_x:10.3.9:::::::* cpe:2.3:o:apple:mac_os_x:10.3.8:::::::* cpe:2.3:o:apple:mac_os_x:10.3.7:::::::* cpe:2.3:o:apple:mac_os_x:10.3.6:::::::* cpe:2.3:o:apple:mac_os_x:10.3.5:::::::* cpe:2.3:o:apple:mac_os_x:10.3.4:::::::* cpe:2.3:o:apple:mac_os_x:10.3.3:::::::* cpe:2.3:o:apple:mac_os_x:10.3.2:::::::* cpe:2.3:o:apple:mac_os_x:10.3.1:::::::* cpe:2.3:o:apple:mac_os_x:10.3.0:::::::* cpe:2.3:o:apple:mac_os_x:10.3:::::::* cpe:2.3:o:apple:mac_os_x:10.2.8:::::::* cpe:2.3:o:apple:mac_os_x:10.2.7:::::::* cpe:2.3:o:apple:mac_os_x:10.2.6:::::::* cpe:2.3:o:apple:mac_os_x:10.2.5:::::::* cpe:2.3:o:apple:mac_os_x:10.2.4:::::::* cpe:2.3:o:apple:mac_os_x:10.2.3:::::::* cpe:2.3:o:apple:mac_os_x:10.2.2:::::::* cpe:2.3:o:apple:mac_os_x:10.2.1:::::::* cpe:2.3:o:apple:mac_os_x:10.2.0:::::::* cpe:2.3:o:apple:mac_os_x:10.2:::::::* cpe:2.3:o:apple:mac_os_x:10.11.3:::::::* cpe:2.3:o:apple:mac_os_x:10.11.2:::::::* cpe:2.3:o:apple:mac_os_x:10.11.1:::::::* cpe:2.3:o:apple:mac_os_x:10.11.0:::::::* cpe:2.3:o:apple:mac_os_x:10.10.5:::::::* cpe:2.3:o:apple:mac_os_x:10.10.4:::::::* cpe:2.3:o:apple:mac_os_x:10.10.3:::::::* cpe:2.3:o:apple:mac_os_x:10.10.2:::::::* cpe:2.3:o:apple:mac_os_x:10.10.1:::::::* cpe:2.3:o:apple:mac_os_x:10.10.0:::::::* cpe:2.3:o:apple:mac_os_x:10.1.5:::::::* cpe:2.3:o:apple:mac_os_x:10.1.4:::::::* cpe:2.3:o:apple:mac_os_x:10.1.3:::::::* cpe:2.3:o:apple:mac_os_x:10.1.2:::::::* cpe:2.3:o:apple:mac_os_x:10.1.1:::::::* cpe:2.3:o:apple:mac_os_x:10.1.0:::::::* cpe:2.3:o:apple:mac_os_x:10.1:::::::* cpe:2.3:o:apple:mac_os_x:10.0.4:::::::* cpe:2.3:o:apple:mac_os_x:10.0.3:::::::* cpe:2.3:o:apple:mac_os_x:10.0.2:::::::* cpe:2.3:o:apple:mac_os_x:10.0.1:::::::* cpe:2.3:o:apple:mac_os_x:10.0.0:::::::* cpe:2.3:o:apple:mac_os_x:10.0:::::::* cpe:2.3:o:apple:mac_os_x:::::::: cpe:2.3:o:apple:mac_os_x:-:::::::*	107
Os	Oracle Linux cpe:2.3:o:oracle:linux:7:::::::*	1
Os	Oracle Solaris cpe:2.3:o:oracle:solaris:11.3:::::::*	1

Snort® IPS/IDS

Date	Description
2016-03-14	OpenSSH insecure roaming key exchange attempt RuleID : 37371 - Revision : 3 - Type : SERVER-OTHER

Nessus® Vulnerability Scanner

Date	Description
2016-03-22	Name : The remote host is missing a Mac OS X update that fixes multiple vulnerabilit... File : macosx_SecUpd2016-002.nasl - Type : ACT_GATHER_INFO
2016-03-22	Name : The remote Mac OS X host is affected by multiple vulnerabilities. File : macosx_10_11_4.nasl - Type : ACT_GATHER_INFO
2016-03-04	Name : The remote Fedora host is missing a security update. File : fedora_2016-c330264861.nasl - Type : ACT_GATHER_INFO
2016-03-04	Name : The remote Fedora host is missing a security update. File : fedora_2016-67c6ef0d4f.nasl - Type : ACT_GATHER_INFO
2016-03-04	Name : The remote Fedora host is missing a security update. File : fedora_2016-2e89eba0c1.nasl - Type : ACT_GATHER_INFO
2016-02-05	Name : The remote AIX host has a version of OpenSSH installed that is affected by mu... File : aix_openssh_advisory7.nasl - Type : ACT_GATHER_INFO
2016-01-29	Name : The remote Fedora host is missing a security update. File : fedora_2016-4556904561.nasl - Type : ACT_GATHER_INFO
2016-01-26	Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-49.nasl - Type : ACT_GATHER_INFO
2016-01-25	Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-39.nasl - Type : ACT_GATHER_INFO
2016-01-25	Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-38.nasl - Type : ACT_GATHER_INFO
2016-01-19	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2016-638.nasl - Type : ACT_GATHER_INFO
2016-01-19	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201601-01.nasl - Type : ACT_GATHER_INFO
2016-01-18	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2016-0120-1.nasl - Type : ACT_GATHER_INFO
2016-01-18	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2016-0119-1.nasl - Type : ACT_GATHER_INFO
2016-01-18	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2016-0118-1.nasl - Type : ACT_GATHER_INFO
2016-01-15	Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2016-014-01.nasl - Type : ACT_GATHER_INFO
2016-01-15	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2869-1.nasl - Type : ACT_GATHER_INFO
2016-01-15	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20160114_openssh_on_SL7_x.nasl - Type : ACT_GATHER_INFO
2016-01-15	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2016-0043.nasl - Type : ACT_GATHER_INFO
2016-01-15	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2016-0043.nasl - Type : ACT_GATHER_INFO
2016-01-15	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_dfe0cdc1baf211e5863ab499baebfeaf.nasl - Type : ACT_GATHER_INFO
2016-01-15	Name : The remote Debian host is missing a security-related update. File : debian_DSA-3446.nasl - Type : ACT_GATHER_INFO
2016-01-15	Name : The remote Debian host is missing a security update. File : debian_DLA-387.nasl - Type : ACT_GATHER_INFO
2016-01-15	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2016-0043.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2016-09-09 00:24:22	Multiple Updates
2016-02-06 13:26:47	Multiple Updates
2016-01-21 21:27:51	Multiple Updates
2016-01-21 00:26:10	Multiple Updates
2016-01-21 00:21:33	Multiple Updates
2016-01-20 21:26:13	Multiple Updates
2016-01-20 00:26:14	Multiple Updates
2016-01-15 21:23:22	Multiple Updates
2016-01-15 05:27:44	Multiple Updates
2016-01-15 00:22:10	Multiple Updates
2016-01-14 21:24:27	First insertion

Global Informations

Type	Count
CWE ID(s)	2
CPE ID(s)	150
Snort® Rule(s)	1
Nessus® Exploit(s)	24

	Related
8.1	CVE-2016-0778
6.5	CVE-2016-0777
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)