The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability note CVE-2016-0777 CVE-2016-0778

OpenSSH: key disclosure via Roaming

Synthesis of the vulnerability

An attacker, who owns a malicious SSH server, can invite a client to connect with OpenSSH, and then call the Roaming feature, in order to obtain sensitive information about keys used by the SSH client.
Impacted products: DCFM Enterprise, FabricOS, Brocade Network Advisor, Brocade vTM, Debian, Black Diamond, ExtremeXOS, Summit, Fedora, FreeBSD, AIX, WebSphere MQ, Juniper J-Series, Junos OS, NSM Central Manager, NSMXpress, Meinberg NTP Server, Data ONTAP, OpenBSD, OpenSSH, openSUSE, openSUSE Leap, Solaris, Palo Alto Firewall PA***, PAN-OS, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Symfony, Synology DS***, Synology RS***, Ubuntu.
Severity of this bulletin: 3/4.
Consequences of an intrusion: data reading, denial of service on client.
Hacker's origin: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 14/01/2016.
Revision date: 14/01/2016.
Références of this threat: 046062, 7043086, 9010059, BSA-2016-002, bulletinoct2015, CERTFR-2016-AVI-022, CERTFR-2016-AVI-128, CERTFR-2017-AVI-012, CERTFR-2017-AVI-022, CVE-2016-0777, CVE-2016-0778, DSA-3446-1, FEDORA-2016-2e89eba0c1, FEDORA-2016-4556904561, FEDORA-2016-67c6ef0d4f, FEDORA-2016-c330264861, FreeBSD-SA-16:07.openssh, JSA10734, JSA10774, NTAP-20160126-0001, openSUSE-SU-2016:0127-1, openSUSE-SU-2016:0128-1, openSUSE-SU-2016:0144-1, openSUSE-SU-2016:0145-1, PAN-SA-2016-0011, RHSA-2016:0043-01, SSA:2016-014-01, SUSE-SU-2016:0117-1, SUSE-SU-2016:0118-1, SUSE-SU-2016:0119-1, SUSE-SU-2016:0120-1, USN-2869-1, VIGILANCE-VUL-18729, VN-2016-001, VU#456088.

Description of the vulnerability

The OpenSSH product implements a SSH client and server.

The SSH client contains an undocumented experimental feature named Roaming, which is implemented in the roaming_client.c file. This feature is enabled by default, and it is used to restart an old session. It is impacted by two vulnerabilities.

The Roaming feature can be used by a SSH server to read the SSH client memory, to obtain its keys. [severity:3/4; CVE-2016-0777]

The Roaming feature can be used by a SSH server to trigger an overflow and a descriptor leak in the SSH client, in order to generate a denial of service. [severity:2/4; CVE-2016-0778]

An attacker, who owns a malicious SSH server, can therefore invite a client to connect with OpenSSH, and then call the Roaming feature, in order to obtain sensitive information about keys used by the SSH client.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a software vulnerabilities database. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The technology watch team tracks security threats targeting the computer system.