Update OpenSSH client
Hello,
I've received this e-mail from my vps provider:
[SPOILER=" Protecting Against CVE-2016-0777 and CVE-2016-0778">
Protecting Against CVE-2016-0777 and CVE-2016-0778
Posted: 15 Jan 2016 08:36 AM PST
Overview
A flaw in OpenSSH, discovered and reported by Qualys on Jan. 14, 2016, could potentially allow an information leak (CVE-2016-0777) or buffer overflow (CVE-2016-0778) via the OpenSSH client. Specifically, an undocumented feature called roaming, introduced in OpenSSH version 5.4, can be exploited to expose a client"s private SSH key.
Impact
The roaming feature, which allows clients to reconnect to the server automatically should the connection drop (on servers supporting the feature), can be exploited in the default configuration of OpenSSH clients from versions 5.4 through 7.1p1, but is not supported in the default configuration of the OpenSSH server.
All versions of OpenSSH clients from 5.4 through 7.1p1 are affected for anyone who connects via SSH on the following operating systems:
[LIST]
Linux
FreeBSD
Mac OS X
Windows when using OpenSSH for Windows
The following are not affected:
[LIST]
OpenSSH servers in default configuration
Windows users utilizing PuTTY to connect
Connections not authenticated via an SSH key
Summary
A connection made from an affected client to a compromised or malicious server which uses an SSH key for authentication potentially could expose all or part of the user"s private SSH key.
If the key utilized to authenticate the connection is encrypted, only the encrypted private key could be exposed. However, a malicious party could attempt to brute-force the password offline after obtaining the encrypted key.
Is Your SSH Client Vulnerable?
You can check the version of your SSH client by running the following command:
ssh -V
That will produce output similar to:
workstation$ $ ssh -V
OpenSSH_7.1p2, OpenSSL 1.0.2e 3 Dec 2015
If the version is below 7.1p2, the SSH client is affected.
I checked my ssl version and it is an old OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
I tried to update
But there are not updates for the SSH Client. How can I update? Is this openssh version insecure? Thanks P.S. my operating system is CentOS Linux release 7.1.1503
yum clean all && yum update
But there are not updates for the SSH Client. How can I update? Is this openssh version insecure? Thanks P.S. my operating system is CentOS Linux release 7.1.1503
-
Hello :) Please keep in mind that updates to the OpenSSH package are shipped by your OS vendor (e.g. CentOS, Red Hat). This often comes in the form of a patch to the existing version of the package. Here's an example of a command you can run to determine if a patch for these vulnerabilities has been implemented: rpm -q --changelog openssh | grep CVE-2016
You should see this output:- prevents CVE-2016-0777 and CVE-2016-0778
Thank you.0 -
Hello, I've tried with rpm -q --changelog openssl | grep CVE-2016
but nothing happens0 -
You are checking for "openssl". The package in question here is "openssh". Thank you. 0 -
I've update my /etc/ssh/ssh_config echo 'UseRoaming no' | sudo tee -a /etc/ssh/ssh_config
Should I generate new keys?0 -
Should I generate new keys?
Were you able to determine if the security patches were backported to the version of OpenSSH installed on your system? Thank you.0 -
If I try with rpm -q --changelog openssh | grep CVE-2016
nothing happens.0 -
Are you sure there's no output when running the "yum update" command on your system? Thank you. 0 -
In regards to changing SSH keys, I did change mine, because paranoia is cheap and incident response is not. In regards to updates, you will probably not see updates on centOS 4/5/6 (4 is EOL anyway) because they were unaffected. CentOS 7 may receive updates per the information below: OpenSSH: Information-leak vulnerability (CVE-2016-0777) - Red Hat Customer Portal Affected Products [LIST] - Red Hat Enterprise Linux 4, 5, and 6 are not affected by this flaw because they include OpenSSH versions older than 5.4, and hence do not implement the roaming feature.
- Red Hat Enterprise Linux 7 since version 7.1 has provided OpenSSH 6.6 for which the default configuration is not affected by this flaw. OpenSSH 6.6 is only vulnerable to this issue when used with certain non-default ProxyCommand settings. Security update RHSA-2016-0043 corrects this issue.
- Red Hat Enterprise Linux 7 prior to version 7.1 (released in March 2015) provides OpenSSH 6.4 and is impacted regardless of the use of the ProxyCommand settings. The OpenSSH packages were updated from version 6.4 to version 6.6 in Red Hat Enterprise Linux 7.1 via RHSA-2015:0425.
0 -
Are you sure there's no output when running the "yum update" command on your system? Thank you.
If I run yum update there are no packages marked for update: root@host [~]# yum update Plugin abilitati:fastestmirror, priorities kernelcare | 951 B 00:00 stable-arch | 951 B 00:00 stable-generic | 951 B 00:00 stable-noarch | 951 B 00:00 system-base | 3.6 kB 00:00 system-extras | 3.4 kB 00:00 system-updates-released | 3.4 kB 00:00 Loading mirror speeds from cached hostfile 2 packages excluded due to repository priority protections No packages marked for update
@quizknows In regards to changing SSH keys, I did change mine, because paranoia is cheap and incident response is not. In regards to updates, you will probably not see updates on centOS 4/5/6 (4 is EOL anyway) ......
Thanks0 -
If I run yum update there are no packages marked for update:
I suggest consulting with your provider to determine why your system is not updating to the latest version of CentOS or why you are not receiving package updates. It's possible you are using invalid YUM repo files. Thank you.0
Please sign in to leave a comment.
Comments
10 comments