Major Vulnerability Fixed in OpenSSH
One of the most known secure shell programs OpenSSH just fixed a major bug that could leak secret crytopgraphic keys. According to PC World, OpenSSH clients since version 5.4 enabled by default a feature known as roaming that allows SSH connections to be resumed. It is only on the client side and not present on the server side.
ZDNet added, “According to a mailing list disclosing the flaw, a malicious server can trick an affected client to leak client memory, including a client’s private user keys.” Also according to the mailing list, the matching server code was never shipped. Both website have reported that as of Thursday, a security patch version 7.1p2 was released to fix this issue.
Per ARS Technica, Qualys was the security firm that disclosed the bug to OpenSSH. It was reported on January 11th and OpenSSH responded quickly releasing the patch three days later. As with every other patch that is released to fix an issue, it is recommended you update as soon as possible. OpenSSh, through an advisory, stated if you are unable to update, then you should disable roaming. To accomplish this add the string “UseRoaming no” (minus the quotes) to the “global ssh_config(5)” file or to the user configuration in ~/.ssh/config or entering “-oUseRoaming=no” on the command line. It’s also recommended that users regenerate their SSH keys in the event that hackers have already comprised servers that end users trust.
OpenSSH is the release that was made regarding this exploit. It also has some other useful information such as the protocol to report bugs.
Other High Profile Breaches:
Experian (includes T-Mobile)
Tesla and Chrysler (unrelated to each other)
Apple App Store
U.S. Office of Personnel Management (OPM)
Kaspersky & FireEye (unrelated to each other)
Excellus Blue Cross Blue Shield
Ashley Madison (follow up)
Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.
Be sure to subscribe to this blog and to our Podcast.
If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.