How To Patch and Protect OpenSSH Client Vulnerability CVE-2016-0777 and CVE-2016-0778 [ 14/Jan/2016 ]

By -
The OpenSSH project released an ssh client bug info that can leak private keys to malicious servers. A man-in-the-middle kind of attack identified and fixed in OpenSSH are dubbed CVE-2016-0777 and CVE-2016-0778. How do I fix OpenSSH's client vulnerability on a Linux or Unix-like operating system?

A serious security problem has been found and patched in the OpenSSH software. Two vulnerabilities have been discovered in OpenSSH on 14/Jan/2016. The Common Vulnerabilities and Exposures project identifies the following issues:
  • Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 - All OpenSSH versions between 5.4 and 7.1 are vulnerable.
  • CVE-2016-0777 - An information leak (memory disclosure) can be exploited by a rogue SSH server to trick a client into leaking sensitive data from the client memory, including for example private keys.
  • CVE-2016-0778 - A buffer overflow (leading to file descriptor leak), can also be exploited by a rogue SSH server, but due to another bug in the code is possibly not exploitable, and only under certain conditions (not the default configuration), when using ProxyCommand, ForwardAgent or ForwardX11.
In this tutorial you will learn how to fix OpenSSH's client and server bugs CVE-2016-0777 and CVE-2016-0778 on a Linux or Unix-like system including bug verification at the end of the tutorial.

How to find openssh version on a Linux or Unix-like system?

The syntax is as follows to find openssh version on a CentOS/RHEL/SL:
# yum list installed openssh\*
The syntax is as follows to find openssh version on a Debian/Ubuntu Linux:
$ dpkg --list | grep openssh
### OR ###
$ dpkg --list openssh\*
Sample outputs:
Fig.01: Finding install openssh server and client version
Fig.01: Finding install openssh server and client version

A list of affected Linux distros

  1. CentOS Linux 7.x
  2. RHEL (RedHat Enterprise Linux) 7.x
  3. Debian Linux (squeeze, wheezy, jessie, stretch, and sid release)
  4. Ubuntu Linux 15.10
  5. Ubuntu Linux 15.04
  6. Ubuntu Linux 14.04 LTS
  7. Ubuntu Linux 12.04 LTS
  8. SUSE Linux Enterprise Server 12 (SLES 12)
  9. SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
  10. SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
  11. SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
  12. openSUSE 13.2
  13. openSUSE Leap 42.1

Fix #1: How to apply hot-fix to fix the isssue (CVE-2016-0777)

Type the command as per your Linux or Unix variant:

Fix openssh on FreeBSD

## First be root and run command ##
sudo -s
echo 'UseRoaming no' >> /etc/ssh/ssh_config

Fix openssh on Linux

## run as root via sudo ##
echo 'UseRoaming no' | sudo tee -a /etc/ssh/ssh_config
 

Fix openssh on Apple Mac OS X

## run as normal user ##
echo "UseRoaming no" >> ~/.ssh/config
 

Fix openssh on OpenBSD

## run as root ##
echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config
 
All of the above commands add the option UseRoaming no to your /etc/ssh/ssh_configor ~/.ssh/config ssh client config file. Of course your can start your ssh client session with the following command to to avoid this bug:
$ ssh -oUseRoaming=no vivek@server1.cyberciti.biz
$ ssh -oUseRoaming=no root@v.server1

Fix #2: Upgrade your openssh to fix CVE-2016-0778

To fix CVE-2016-0777 simply upgrade all your packages or as a minimum upgrade openssh-server and openssh-client package:

Debian/Ubuntu/Mint Linux

Type the following apt-get command to update openssh:
$ sudo apt-get update
$ sudo apt-get upgrade
OR
$ sudo apt-get update
$ sudo apt-get install openssh-client openssh-server openssh-sftp-server
Sample outputs:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  ssh-askpass libpam-ssh monkeysphere rssh molly-guard ufw
The following packages will be upgraded:
  openssh-client openssh-server openssh-sftp-server
3 upgraded, 0 newly installed, 0 to remove and 16 not upgraded.
Need to get 1,060 kB of archives.
After this operation, 238 kB disk space will be freed.
Get:1 http://security.debian.org/ jessie/updates/main openssh-sftp-server amd64 1:6.7p1-5+deb8u1 [38.0 kB]
Get:2 http://security.debian.org/ jessie/updates/main openssh-server amd64 1:6.7p1-5+deb8u1 [331 kB]
Get:3 http://security.debian.org/ jessie/updates/main openssh-client amd64 1:6.7p1-5+deb8u1 [691 kB]
Fetched 1,060 kB in 2s (371 kB/s)
Reading changelogs... Done
Preconfiguring packages ...
(Reading database ... 84547 files and directories currently installed.)
Preparing to unpack .../openssh-sftp-server_1%3a6.7p1-5+deb8u1_amd64.deb ...
Unpacking openssh-sftp-server (1:6.7p1-5+deb8u1) over (1:6.7p1-5) ...
Preparing to unpack .../openssh-server_1%3a6.7p1-5+deb8u1_amd64.deb ...
Unpacking openssh-server (1:6.7p1-5+deb8u1) over (1:6.7p1-5) ...
Preparing to unpack .../openssh-client_1%3a6.7p1-5+deb8u1_amd64.deb ...
Unpacking openssh-client (1:6.7p1-5+deb8u1) over (1:6.7p1-5) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for systemd (215-17+deb8u2) ...
Setting up openssh-client (1:6.7p1-5+deb8u1) ...
Setting up openssh-sftp-server (1:6.7p1-5+deb8u1) ...
Setting up openssh-server (1:6.7p1-5+deb8u1) ...

SL/RHEL/CentOS Linux

Type the following yum command to patch and update openssh:
$ sudo yum update

Fedora Linux

Type the following dnf command to patch and update openssh:
$ sudo dnf update

FreeBSD unix user

Type the following two command to apply binary patches:
# freebsd-update fetch
# freebsd-update install

SUSE Enterprise Linux

SUSE Linux Enterprise Server 12-SP1:
# zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-85=1
SUSE Linux Enterprise Server 12:
# zypper in -t patch SUSE-SLE-SERVER-12-2016-85=1
SUSE Linux Enterprise Desktop 12-SP1:
# zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-85=1
SUSE Linux Enterprise Desktop 12:
# zypper in -t patch SUSE-SLE-DESKTOP-12-2016-85=1
Finally, to bring your system up-to-date, run:
# zypper patch

openSUSE Leap 42.1

# zypper in -t patch openSUSE-2016-38=1
Finally, to bring your system up-to-date, run:
# zypper patch

Do I need to reboot my server/laptop/computer powered by Linux or Unix?

No.

Verify if system is still affected after openssh updates

To check if your system is affected you can simply run:
$ ssh -v user@server
$ ssh -v vivek@server1.cyberciti.biz
Sample outputs:
Fig.02: OpenSSH Roaming not allowed by server bug (CVE-2016-0777)
Fig.02: OpenSSH Roaming not allowed by server bug (CVE-2016-0777)

The message debug1: Roaming not allowed by server indicates that your system is affected. You will not see this debug message if you applied patches as explained earlier.

More Info: http://www.cyberciti.biz/faq/howto-openssh-client-security-update-cve-0216-0777-cve-0216-0778/

Comments

Post a Comment

Popular posts from this blog

How to delete SEA in VIOS

By -
Remove the network en0 #ifconfig en0 down #ifconfig en0 detach Delete SEA $ lsdev -type sea name             status      description ent27            Defined     Shared Ethernet Adapter $ chdev -dev en26 -attr state=detach en27 changed $ rmdev -dev ent26;rmdev -dev en26;rmdev -dev et26 ent27 deleted $ rmdev -dev en26 en27 deleted $ rmdev -dev et26 et27 deleted system information #prtconf|more rmdev -dev ent3;rmdev -dev en3;rmdev -dev et3
Read more

More VIOS commands

By -
RAID controller USB UHC Spec --> local disk Location code website need to find? SCSI Adapter create LVM on VIOS if we hv single physical disk lsdev -virtul ent1 -- virtual adapter lsdev ent0 ---physical adapter lsmap -all -net netstat -state chdev -dev ent0 -attr state=detach mkdev VIOS Adapter 2 Port VLAN 1 port 3 vlan 99 bridge NO $ oem_setup_env 32 LPM_VIOS juno 37 c05076050e790000 c05076050e790001 show WWPN no lscfg -vpl fcs0 http://9.126.134.190/na_admin/ show hardisks lspv mkvdev -sea ent0 -vadapter ent1 -default ent1 -defaultid 1 5) Scan for new disks from your server Log into your server and scan for new hardware. SCAN SAN disks LUNS In AIX: AIX# cfgmgr AIX# fget_config -Avada $ vfcmap -vadapter vfchost2 -fcp fcs1 $ lsmap -all -npiv Name          Physloc                            ClntID ClntName       ClntOS ------------- ---------------------------------- ------ -------------- ------- vfchost0      U8205
Read more

Webmin configuration for LDAP

By -
We cannot add or delete users by default so we have to do below changes in LDAP module in GUI mode only. Configuring the module The most complex part of using this module is configuring it to talk to your LDAP server. By default, it will attempt to auto-detect the settings by looking at the LDAP client settings on your system, documented on the LDAPClient page. However, if this fails (perhaps because the LDAP server is not one of its own clients), you will need to configure the module manually as follows : On the module's main page, click on the Module Config link. In the LDAP server host field, enter the hostname of your LDAP server. If it is running on the same machine, enter localhost. If the LDAP server is using encryption, change the LDAP server uses TLS? option to Yes. In the Bind to LDAP server as field, enter the full DN of the administrative user for your LDAP server. This might be something like cn=Manager,dc=my-domain,dc=com. In the Credentials for bind name above field,
Read more