New OpenSSH bug could leak encryption keys to attackers

January 15, 2016


Users of OpenSSH are advised to immediately update their software following the discovery of a critical vulnerability that could permit attackers to steal private encryption keys. OpenSSH is a widely used implementation of Secure Shell (SSH), a protocol that allows for encrypted communications over unsecured networks. It features in a number of Linux-based operating systems such as Ubuntu and Mac OS X.

The software’s creators have released a new version, OpenSSH 7.1p2, which patches the vulnerability. Many developers who use OpenSSH in their products have begun rolling out updates which contain the latest patched version of OpenSSH.

The vulnerability (CVE-2016-0777) affects OpenSSH versions 5.4 to 7.1, which contain what it termed “experimental support” for a roaming feature that allowed for the resumption of broken SSH connections. OpenSSH said that while the matching server code had never been shipped, the client code was enabled by default. The vulnerability means that a malicious server could trick OpenSSH into leaking client memory, including encryption keys.

It should be noted that a successful exploit requires the attacker to trick the target computer into connecting to a malicious server, which limits the scope for exploit. “The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers,” the OpenSSH statement said.

Read full story…