The OpenSSH project released an ssh client bug info that can leak private keys to malicious servers. A man-in-the-middle kind of attack identified and fixed in OpenSSH are dubbed CVE-2016-0777 and CVE-2016-0778. How do I fix OpenSSH’s client vulnerability on a Linux or Unix-like operating system?

A serious security problem has been found and patched in the OpenSSH software. Two vulnerabilities have been discovered in OpenSSH on 14/Jan/2016. The Common Vulnerabilities and Exposures project identifies the following issues:
  • Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 – All OpenSSH versions between 5.4 and 7.1 are vulnerable.
  • CVE-2016-0777 – An information leak (memory disclosure) can be exploited by a rogue SSH server to trick a client into leaking sensitive data from the client memory, including for example private keys.
  • CVE-2016-0778 – A buffer overflow (leading to file descriptor leak), can also be exploited by a rogue SSH server, but due to another bug in the code is possibly not exploitable, and only under certain conditions (not the default configuration), when using ProxyCommand, ForwardAgent or ForwardX11.

In this tutorial you will learn how to fix OpenSSH’s client and server bugs CVE-2016-0777 and CVE-2016-0778 on a Linux or Unix-like system including bug verification at the end of the tutorial.

How to find openssh version on a Linux or Unix-like system?

The syntax is as follows to find openssh version on a CentOS/RHEL/SL:
# yum list installed openssh\*
The syntax is as follows to find openssh version on a Debian/Ubuntu Linux:
$ dpkg --list | grep openssh
### OR ###
$ dpkg --list openssh\*

Sample outputs:

Fig.01: Finding install openssh server and client version

A list of affected Linux distros

  1. CentOS Linux 7.x
  2. RHEL (RedHat Enterprise Linux) 7.x
  3. Debian Linux (squeeze, wheezy, jessie, stretch, and sid release)
  4. Ubuntu Linux 15.10
  5. Ubuntu Linux 15.04
  6. Ubuntu Linux 14.04 LTS
  7. Ubuntu Linux 12.04 LTS
  8. SUSE Linux Enterprise Server 12 (SLES 12)
  9. SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
  10. SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
  11. SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
  12. openSUSE 13.2
  13. openSUSE Leap 42.1

Fix #1: How to apply hot-fix to fix the isssue (CVE-2016-0777)

Type the command as per your Linux or Unix variant:

Fix openssh on FreeBSD

## First be root and run command ##
sudo -s
echo 'UseRoaming no' >> /etc/ssh/ssh_config

Fix openssh on Linux

## run as root via sudo ##
echo 'UseRoaming no' | sudo tee -a /etc/ssh/ssh_config

Fix openssh on Apple Mac OS X

## run as normal user ##
echo "UseRoaming no" >> ~/.ssh/config

Fix openssh on OpenBSD

## run as root ##
echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config

All of the above commands add the option UseRoaming no to your /etc/ssh/ssh_config or ~/.ssh/config ssh client config file. Of course your can start your ssh client session with the following command to to avoid this bug:
$ ssh -oUseRoaming=no
$ ssh -oUseRoaming=no root@v.server1

Fix #2: Upgrade your openssh to fix CVE-2016-0778

To fix CVE-2016-0777 simply upgrade all your packages or as a minimum upgrade openssh-server and openssh-client package:

Debian/Ubuntu/Mint Linux

Type the following apt-get command to update openssh:
$ sudo apt-get update
$ sudo apt-get upgrade

$ sudo apt-get update
$ sudo apt-get install openssh-client openssh-server openssh-sftp-server

Sample outputs:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Suggested packages:
  ssh-askpass libpam-ssh monkeysphere rssh molly-guard ufw
The following packages will be upgraded:
  openssh-client openssh-server openssh-sftp-server
3 upgraded, 0 newly installed, 0 to remove and 16 not upgraded.
Need to get 1,060 kB of archives.
After this operation, 238 kB disk space will be freed.
Get:1 jessie/updates/main openssh-sftp-server amd64 1:6.7p1-5+deb8u1 [38.0 kB]
Get:2 jessie/updates/main openssh-server amd64 1:6.7p1-5+deb8u1 [331 kB]
Get:3 jessie/updates/main openssh-client amd64 1:6.7p1-5+deb8u1 [691 kB]
Fetched 1,060 kB in 2s (371 kB/s)       
Reading changelogs... Done
Preconfiguring packages ...
(Reading database ... 84547 files and directories currently installed.)
Preparing to unpack .../openssh-sftp-server_1%3a6.7p1-5+deb8u1_amd64.deb ...
Unpacking openssh-sftp-server (1:6.7p1-5+deb8u1) over (1:6.7p1-5) ...
Preparing to unpack .../openssh-server_1%3a6.7p1-5+deb8u1_amd64.deb ...
Unpacking openssh-server (1:6.7p1-5+deb8u1) over (1:6.7p1-5) ...
Preparing to unpack .../openssh-client_1%3a6.7p1-5+deb8u1_amd64.deb ...
Unpacking openssh-client (1:6.7p1-5+deb8u1) over (1:6.7p1-5) ...
Processing triggers for man-db ( ...
Processing triggers for systemd (215-17+deb8u2) ...
Setting up openssh-client (1:6.7p1-5+deb8u1) ...
Setting up openssh-sftp-server (1:6.7p1-5+deb8u1) ...
Setting up openssh-server (1:6.7p1-5+deb8u1) ...

SL/RHEL/CentOS Linux

Type the following yum command to patch and update openssh:
$ sudo yum update

Fedora Linux

Type the following dnf command to patch and update openssh:
$ sudo dnf update

FreeBSD unix user

Type the following two command to apply binary patches:
# freebsd-update fetch
# freebsd-update install

SUSE Enterprise Linux

SUSE Linux Enterprise Server 12-SP1:
# zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-85=1
SUSE Linux Enterprise Server 12:
# zypper in -t patch SUSE-SLE-SERVER-12-2016-85=1
SUSE Linux Enterprise Desktop 12-SP1:
# zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-85=1
SUSE Linux Enterprise Desktop 12:
# zypper in -t patch SUSE-SLE-DESKTOP-12-2016-85=1
Finally, to bring your system up-to-date, run:
# zypper patch

openSUSE Leap 42.1

# zypper in -t patch openSUSE-2016-38=1
Finally, to bring your system up-to-date, run:
# zypper patch

Do I need to reboot my server/laptop/computer powered by Linux or Unix?


Verify if system is still affected after openssh updates

To check if your system is affected you can simply run:
$ ssh -v user@server
$ ssh -v

Sample outputs:

Fig.02: OpenSSH Roaming not allowed by server bug (CVE-2016-0777)

The message debug1: Roaming not allowed by server indicates that your system is affected. You will not see this debug message if you applied patches as explained earlier.
Further readings:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 4 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
4 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum