≡ Menu

How To Patch and Protect OpenSSH Client Vulnerability CVE-2016-0777 and CVE-2016-0778 [ 14/Jan/2016 ]

The OpenSSH project released an ssh client bug info that can leak private keys to malicious servers. A man-in-the-middle kind of attack identified and fixed in OpenSSH are dubbed CVE-2016-0777 and CVE-2016-0778. How do I fix OpenSSH’s client vulnerability on a Linux or Unix-like operating system?

A serious security problem has been found and patched in the OpenSSH software. Two vulnerabilities have been discovered in OpenSSH on 14/Jan/2016. The Common Vulnerabilities and Exposures project identifies the following issues:

  • Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 – All OpenSSH versions between 5.4 and 7.1 are vulnerable.
  • CVE-2016-0777 – An information leak (memory disclosure) can be exploited by a rogue SSH server to trick a client into leaking sensitive data from the client memory, including for example private keys.
  • CVE-2016-0778 – A buffer overflow (leading to file descriptor leak), can also be exploited by a rogue SSH server, but due to another bug in the code is possibly not exploitable, and only under certain conditions (not the default configuration), when using ProxyCommand, ForwardAgent or ForwardX11.

In this tutorial you will learn how to fix OpenSSH’s client and server bugs CVE-2016-0777 and CVE-2016-0778 on a Linux or Unix-like system including bug verification at the end of the tutorial.

How to find openssh version on a Linux or Unix-like system?

The syntax is as follows to find openssh version on a CentOS/RHEL/SL:
# yum list installed openssh\*
The syntax is as follows to find openssh version on a Debian/Ubuntu Linux:
$ dpkg --list | grep openssh
### OR ###
$ dpkg --list openssh\*

Sample outputs:

Fig.01: Finding install openssh server and client version

Fig.01: Finding install openssh server and client version

A list of affected Linux distros

  1. CentOS Linux 7.x
  2. RHEL (RedHat Enterprise Linux) 7.x
  3. Debian Linux (squeeze, wheezy, jessie, stretch, and sid release)
  4. Ubuntu Linux 15.10
  5. Ubuntu Linux 15.04
  6. Ubuntu Linux 14.04 LTS
  7. Ubuntu Linux 12.04 LTS
  8. SUSE Linux Enterprise Server 12 (SLES 12)
  9. SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
  10. SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
  11. SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
  12. openSUSE 13.2
  13. openSUSE Leap 42.1

Fix #1: How to apply hot-fix to fix the isssue (CVE-2016-0777)

Type the command as per your Linux or Unix variant:

Fix openssh on FreeBSD

## First be root and run command ##
sudo -s
echo 'UseRoaming no' >> /etc/ssh/ssh_config

Fix openssh on Linux

## run as root via sudo ##
echo 'UseRoaming no' | sudo tee -a /etc/ssh/ssh_config

Fix openssh on Apple Mac OS X

## run as normal user ##
echo "UseRoaming no" >> ~/.ssh/config

Fix openssh on OpenBSD

## run as root ##
echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config

All of the above commands add the option UseRoaming no to your /etc/ssh/ssh_config or ~/.ssh/config ssh client config file. Of course your can start your ssh client session with the following command to to avoid this bug:
$ ssh -oUseRoaming=no vivek@server1.cyberciti.biz
$ ssh -oUseRoaming=no root@v.server1

Fix #2: Upgrade your openssh to fix CVE-2016-0778

To fix CVE-2016-0777 simply upgrade all your packages or as a minimum upgrade openssh-server and openssh-client package:

Debian/Ubuntu/Mint Linux

Type the following apt-get command to update openssh:
$ sudo apt-get update
$ sudo apt-get upgrade

OR
$ sudo apt-get update
$ sudo apt-get install openssh-client openssh-server openssh-sftp-server

Sample outputs:

Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  ssh-askpass libpam-ssh monkeysphere rssh molly-guard ufw
The following packages will be upgraded:
  openssh-client openssh-server openssh-sftp-server
3 upgraded, 0 newly installed, 0 to remove and 16 not upgraded.
Need to get 1,060 kB of archives.
After this operation, 238 kB disk space will be freed.
Get:1 http://security.debian.org/ jessie/updates/main openssh-sftp-server amd64 1:6.7p1-5+deb8u1 [38.0 kB]
Get:2 http://security.debian.org/ jessie/updates/main openssh-server amd64 1:6.7p1-5+deb8u1 [331 kB]
Get:3 http://security.debian.org/ jessie/updates/main openssh-client amd64 1:6.7p1-5+deb8u1 [691 kB]
Fetched 1,060 kB in 2s (371 kB/s)
Reading changelogs... Done
Preconfiguring packages ...
(Reading database ... 84547 files and directories currently installed.)
Preparing to unpack .../openssh-sftp-server_1%3a6.7p1-5+deb8u1_amd64.deb ...
Unpacking openssh-sftp-server (1:6.7p1-5+deb8u1) over (1:6.7p1-5) ...
Preparing to unpack .../openssh-server_1%3a6.7p1-5+deb8u1_amd64.deb ...
Unpacking openssh-server (1:6.7p1-5+deb8u1) over (1:6.7p1-5) ...
Preparing to unpack .../openssh-client_1%3a6.7p1-5+deb8u1_amd64.deb ...
Unpacking openssh-client (1:6.7p1-5+deb8u1) over (1:6.7p1-5) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for systemd (215-17+deb8u2) ...
Setting up openssh-client (1:6.7p1-5+deb8u1) ...
Setting up openssh-sftp-server (1:6.7p1-5+deb8u1) ...
Setting up openssh-server (1:6.7p1-5+deb8u1) ...

SL/RHEL/CentOS Linux

Type the following yum command to patch and update openssh:
$ sudo yum update

Fedora Linux

Type the following dnf command to patch and update openssh:
$ sudo dnf update

FreeBSD unix user

Type the following two command to apply binary patches:
# freebsd-update fetch
# freebsd-update install

SUSE Enterprise Linux

SUSE Linux Enterprise Server 12-SP1:
# zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-85=1
SUSE Linux Enterprise Server 12:
# zypper in -t patch SUSE-SLE-SERVER-12-2016-85=1
SUSE Linux Enterprise Desktop 12-SP1:
# zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-85=1
SUSE Linux Enterprise Desktop 12:
# zypper in -t patch SUSE-SLE-DESKTOP-12-2016-85=1
Finally, to bring your system up-to-date, run:
# zypper patch

openSUSE Leap 42.1

# zypper in -t patch openSUSE-2016-38=1
Finally, to bring your system up-to-date, run:
# zypper patch

Do I need to reboot my server/laptop/computer powered by Linux or Unix?

No.

Verify if system is still affected after openssh updates

To check if your system is affected you can simply run:
$ ssh -v user@server
$ ssh -v vivek@server1.cyberciti.biz

Sample outputs:

Fig.02: OpenSSH Roaming not allowed by server bug (CVE-2016-0777)

Fig.02: OpenSSH Roaming not allowed by server bug (CVE-2016-0777)


The message debug1: Roaming not allowed by server indicates that your system is affected. You will not see this debug message if you applied patches as explained earlier.

Further readings:
Share this tutorial on:
{ 4 comments… add one }

Leave a Comment


   Tagged with: , ,