Major Vulnerability Fixed in OpenSSH

Major Vulnerability Fixed in OpenSSH

One of the most known secure shell programs OpenSSH just fixed a major bug that could leak secret crytopgraphic keys. According to PC World, OpenSSH clients since version 5.4 enabled by default a feature known as roaming that allows SSH connections to be resumed. It is only on the client side and not present on the server side.

ZDNet added, “According to a mailing list disclosing the flaw, a malicious server can trick an affected client to leak client memory, including a client’s private user keys.” Also according to the mailing list, the matching server code was never shipped. Both website have reported that as of Thursday, a security patch version 7.1p2 was released to fix this issue.

Our Analysis

Per ARS Technica, Qualys was the security firm that disclosed the bug to OpenSSH. It was reported on January 11th and OpenSSH responded quickly releasing the patch three days later. As with every other patch that is released to fix an issue, it is recommended you update as soon as possible. OpenSSh, through an advisory, stated if you are unable to update, then you should disable roaming. To accomplish this add the string “UseRoaming no” (minus the quotes) to the “global ssh_config(5)” file or to the user configuration in ~/.ssh/config or entering “-oUseRoaming=no” on the command line. It’s also recommended that users regenerate their SSH keys in the event that hackers have already comprised servers that end users trust.

OpenSSH is the release that was made regarding this exploit. It also has some other useful information such as the protocol to report bugs.

Other High Profile Breaches:

Experian (includes T-Mobile)
Scottrade
Trump Hotels
Tesla and Chrysler (unrelated to each other)
Apple App Store
U.S. Office of Personnel Management (OPM)
Kaspersky & FireEye (unrelated to each other)
Excellus Blue Cross Blue Shield
Ashley Madison
Ashley Madison (follow up)


Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.

References

PC World
ZDNet
ARS Technica
OpenSSH


Enter your email address:


Delivered by FeedBurner


Subscribe to our mailing list

* indicates required







About Scott Entsminger

Scott Entsminger was born and raised in Virginia. He graduated from Radford University with a Bachelor’s of Science in Criminal Justice. Scott has worked for the Department of Defense since graduating college. He is an expert in Windows Administration; with specific experience in Group Policy and vulnerability remediation. He also has specific experience in Information Assurance (IA) and Cyber Security.

Scott holds the CompTIA Security+ certification. He is always looking to diversify his skillset. Scott is an avid sports fan, particularly baseball. He also is an avid gamer and enjoys learning different skills involving his PC.