How To Patch and Protect OpenSSH Client Vulnerability CVE-2016-0777 and CVE-2016-0778 [ 14/Jan/2016 ]
The OpenSSH project released an ssh client bug info that can leak private keys to malicious servers. A man-in-the-middle kind of attack identified and fixed in OpenSSH are dubbed CVE-2016-0777 and CVE-2016-0778. How do I fix OpenSSH’s client vulnerability on a Linux or Unix-like operating system?
A serious security problem has been found and patched in the OpenSSH software. Two vulnerabilities have been discovered in OpenSSH on 14/Jan/2016. The Common Vulnerabilities and Exposures project identifies the following issues:
CVE-2016-0777 – An information leak (memory disclosure) can be exploited by a rogue SSH server to trick a client into leaking sensitive data from the client memory, including for example private keys.
CVE-2016-0778 – A buffer overflow (leading to file descriptor leak), can also be exploited by a rogue SSH server, but due to another bug in the code is possibly not exploitable, and only under certain conditions (not the default configuration), when using ProxyCommand, ForwardAgent or ForwardX11.
In this tutorial you will learn how to fix OpenSSH’s client and server bugs CVE-2016-0777 and CVE-2016-0778 on a Linux or Unix-like system including bug verification at the end of the tutorial.
How to find openssh version on a Linux or Unix-like system?
The syntax is as follows to find openssh version on a CentOS/RHEL/SL: # yum list installed openssh* The syntax is as follows to find openssh version on a Debian/Ubuntu Linux: $ dpkg --list | grep openssh ### OR ### $ dpkg --list openssh* Sample outputs:
A list of affected Linux distros
CentOS Linux 7.x
RHEL (RedHat Enterprise Linux) 7.x
Debian Linux (squeeze, wheezy, jessie, stretch, and sid release)
Ubuntu Linux 15.10
Ubuntu Linux 15.04
Ubuntu Linux 14.04 LTS
Ubuntu Linux 12.04 LTS
SUSE Linux Enterprise Server 12 (SLES 12)
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
openSUSE Leap 42.1
Fix #1: How to apply hot-fix to fix the isssue (CVE-2016-0777)
Type the command as per your Linux or Unix variant:
Fix openssh on FreeBSD
## First be root and run command ##sudo-secho'UseRoaming no'>>/etc/ssh/ssh_config
## First be root and run command ##
echo ‘UseRoaming no’ >> /etc/ssh/ssh_config
Fix openssh on Linux
## run as root via sudo ##echo'UseRoaming no'|sudotee-a/etc/ssh/ssh_config
## run as root via sudo ##
echo ‘UseRoaming no’ | sudo tee -a /etc/ssh/ssh_config
Fix openssh on Apple Mac OS X
## run as normal user ##echo"UseRoaming no">> ~/.ssh/config
## run as normal user ##
echo "UseRoaming no" >> ~/.ssh/config
Fix openssh on OpenBSD
## run as root ##echo-e'Host *nUseRoaming no'>>/etc/ssh/ssh_config
## run as root ##
echo -e ‘Host *nUseRoaming no’ >> /etc/ssh/ssh_config
All of the above commands add the option UseRoaming no to your /etc/ssh/ssh_config or ~/.ssh/config ssh client config file. Of course your can start your ssh client session with the following command to to avoid this bug: $ ssh -oUseRoaming=no firstname.lastname@example.org $ ssh -oUseRoaming=no email@example.com
Fix #2: Upgrade your openssh to fix CVE-2016-0778
To fix CVE-2016-0777 simply upgrade all your packages or as a minimum upgrade openssh-server and openssh-client package:
Type the following apt-get command to update openssh: $ sudo apt-get update $ sudo apt-get upgrade OR $ sudo apt-get update $ sudo apt-get install openssh-client openssh-server openssh-sftp-server Sample outputs:
Reading package lists... Done
Building dependency tree
Reading state information... Done
ssh-askpass libpam-ssh monkeysphere rssh molly-guard ufw
The following packages will be upgraded:
openssh-client openssh-server openssh-sftp-server
3 upgraded, 0 newly installed, 0 to remove and 16 not upgraded.
Need to get 1,060 kB of archives.
After this operation, 238 kB disk space will be freed.
Get:1 http://security.debian.org/ jessie/updates/main openssh-sftp-server amd64 1:6.7p1-5+deb8u1 [38.0 kB]
Get:2 http://security.debian.org/ jessie/updates/main openssh-server amd64 1:6.7p1-5+deb8u1 [331 kB]
Get:3 http://security.debian.org/ jessie/updates/main openssh-client amd64 1:6.7p1-5+deb8u1 [691 kB]
Fetched 1,060 kB in 2s (371 kB/s)
Reading changelogs... Done
Preconfiguring packages ...
(Reading database ... 84547 files and directories currently installed.)
Preparing to unpack .../openssh-sftp-server_1%3a6.7p1-5+deb8u1_amd64.deb ...
Unpacking openssh-sftp-server (1:6.7p1-5+deb8u1) over (1:6.7p1-5) ...
Preparing to unpack .../openssh-server_1%3a6.7p1-5+deb8u1_amd64.deb ...
Unpacking openssh-server (1:6.7p1-5+deb8u1) over (1:6.7p1-5) ...
Preparing to unpack .../openssh-client_1%3a6.7p1-5+deb8u1_amd64.deb ...
Unpacking openssh-client (1:6.7p1-5+deb8u1) over (1:6.7p1-5) ...
Processing triggers for man-db (22.214.171.124-5) ...
Processing triggers for systemd (215-17+deb8u2) ...
Setting up openssh-client (1:6.7p1-5+deb8u1) ...
Setting up openssh-sftp-server (1:6.7p1-5+deb8u1) ...
Setting up openssh-server (1:6.7p1-5+deb8u1) ...
Type the following yum command to patch and update openssh: $ sudo yum update
Type the following dnf command to patch and update openssh: $ sudo dnf update
FreeBSD unix user
Type the following two command to apply binary patches: # freebsd-update fetch # freebsd-update install
SUSE Enterprise Linux
SUSE Linux Enterprise Server 12-SP1: # zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-85=1 SUSE Linux Enterprise Server 12: # zypper in -t patch SUSE-SLE-SERVER-12-2016-85=1 SUSE Linux Enterprise Desktop 12-SP1: # zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-85=1 SUSE Linux Enterprise Desktop 12: # zypper in -t patch SUSE-SLE-DESKTOP-12-2016-85=1 Finally, to bring your system up-to-date, run: # zypper patch
openSUSE Leap 42.1
# zypper in -t patch openSUSE-2016-38=1 Finally, to bring your system up-to-date, run: # zypper patch
Do I need to reboot my server/laptop/computer powered by Linux or Unix?
Verify if system is still affected after openssh updates
To check if your system is affected you can simply run: $ ssh -v user@server $ ssh -v firstname.lastname@example.org Sample outputs:
The message debug1: Roaming not allowed by server indicates that your system is affected. You will not see this debug message if you applied patches as explained earlier.
The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.