Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH Patches Bug That Leaks Private Crypto Keys (threatpost.com)

Posted by timothy on from the once-in-a-blue-moon dept.

msm1267 writes: OpenSSH today released a patch for a critical vulnerability that could be exploited by an attacker to force a client to leak private cryptographic keys. The attacker would have to control a malicious server in order to force the client to give up the key, OpenSSH and researchers at Qualys said in separate advisories. Qualys' security team privately disclosed the vulnerability Jan. 11 and the OpenSSH team had it patched within three days. The vulnerability was found in a non-documented feature called roaming that supports the resumption of interrupted SSH connections. OpenSSH said client code between versions 5.4 and 7.1 are vulnerable as it contains the roaming support. OpenSSH said that organizations may disable the vulnerable code by adding 'UseRoaming no' to the global ssh_config(5) file. Researchers at Qualys said organizations should patch immediately and regenerate private keys.

60 comments

  1. Wow, apt is faster than slashdot by NotInHere · · Score: 4, Informative

    I knew that there has been updates for openssl since I last ran apt-get update && apt-get dist-upgrade, it asked me to update the "openssh-client" package.

    good job, debian guys!

    1. Re:Wow, apt is faster than slashdot by Anonymous Coward · · Score: 0

      5 pm Jan. 14, 2016 ...
      Get:4 http://ftp.us.debian.org/debian/ testing/main openssh-client amd64 1:7.1p1-6 [736 kB] ...

      As of this writing Debian testing is still on 7.1p1, not 7.1p2 required to mitigate this bug.

    2. Re:Wow, apt is faster than slashdot by kthreadd · · Score: 3, Informative

      Debian and many other GNU/Linux distros tend to backport patches rather than updating to the new upstream release directly. That's because upstream releases often include other changes that might disrupt the way users use the software. Debian may also include a number of local patches in their version and these might break when rebasing onto a new version. So when they backport a patch they typically don't update the version number except for the last part, in this case the -6 at the end which is a Debian add-on. So it's the sixth Debian patch to the 7.1p1 upstream release that you have there, not 7.1p1 as released by upstream.

    3. Re: Wow, apt is faster than slashdot by bill_mcgonigle · · Score: 1

      Um, yeah, we want the distros to get patches out before full-disclosure.

      In this case, it's not just DiceDot being slow. We can come back tomorrow for the story about all the Nest thermostats failing today and bitch about it then.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  2. Undocumented features?! by spectrum- · · Score: 3, Insightful

    Undocumented features in security focused software. This doesn't sound like a good idea! Test or unfinished features should probably go in code forks or unreleased prototypes far from production use.

    1. Re: Undocumented features?! by Anonymous Coward · · Score: 3, Funny

      This is actually somewhat embarrassing for the OpenSSH project. Maybe the LibreSSL folks can step up and make aLibreSSH version of OpenSSH. They seem to know their stuff with security.

    2. Re: Undocumented features?! by spectrum- · · Score: 1

      The other thing about this is the undocumented feature allowing resumption of wonky connections sounds a bit like Mosh. A feature I would actually like to see in openssh itself. Mosh is still not compatible with enough clients for me as yet.

      After patching this (which does sound unlikely to be explored issue to be fair for most implementations). They should concentrate on finishing and documenting that feature.

    3. Re: Undocumented features?! by spectrum- · · Score: 1

      explored/exploited..

    4. Re:Undocumented features?! by Anonymous Coward · · Score: 0

      But then how does someone sneak in backdoors?

    5. Re:Undocumented features?! by gweihir · · Score: 2

      This must be a combination of somebody really messing up (allowing experimental and enabled code into a production release) and somebody asking for it, either because of stupidity or because of malicious intent.

      No reason to dump OpenSSH, the project has an excellent security track record. And they found this and patched it very fast. But they have some explaining to do and they need to make sure something like this does not happen again.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:Undocumented features?! by Anonymous Coward · · Score: 0

      Undocumented features in security focused software. This doesn't sound like a good idea!

      Undocumented features in OpenSSH. This doesn't sound above board!

    7. Re:Undocumented features?! by TheRaven64 · · Score: 1

      And they found this and patched it very fast.

      And then completely screwed up responsible disclosure, because apparently time zones are hard.

      --
      I am TheRaven on Soylent News
    8. Re:Undocumented features?! by Anonymous Coward · · Score: 0

      Responsible disclosure is a crappy term, because responsible can mean two completely different things.

      In the world of Microsoft, it means waiting until the marketing department has had time to come up with an excuse, while leaving users open to attack. Responsible to the manufacturer.

      Where as in a world where users are in focus, it means getting the word to the users as fast as possible, to allow them to stop or firewall off the service in question, without waiting for a patch. Responsible to the user.

    9. Re:Undocumented features?! by TheRaven64 · · Score: 1

      Responsible in this case would have been immediate disclosure of the work-around, then waiting a few hours for all of the distributions that have signed on to coordinate releases for this kind of security update to have their packages ready before releasing the details of the exploit. Instead, they botched the release and told everyone how to exploit it before anyone had updated packages.

      --
      I am TheRaven on Soylent News
    10. Re:Undocumented features?! by Anonymous Coward · · Score: 0

      That line of thinking requires that you put the income of the distributions above the value of open source. That the image of the distributions is so important that they should get the knowledge before somebody installing from source.

      Putting those who install from source on equal foot with the distributions prevents doing that.

    11. Re: Undocumented features?! by Anonymous Coward · · Score: 0

      The LibreSSL folks are the ones who do make OpenSSH. It's the same team i believe. OpenBSD, theo and his crew.

  3. ...and when you scroll all the way to the bottom.. by Penguinisto · · Score: 5, Informative

    “Its exploitation requires two non-default options: a ProxyCommand, and either ForwardAgent (-A) or ForwardX11 (-X),” Qualys said. “This buffer overflow is therefore unlikely to have any real-world impact.”

    99.9% of all *nix servers on the planet with SSH on them do not use either option. Good that they patched it, but otherwise, I don't think I'm going to be in a massive hurry to do a crash-patching this weekend.

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  4. Re:...and when you scroll all the way to the botto by NotInHere · · Score: 3, Informative

    If you actually scroll a bit up, you'll see that there were two bugs: one information leak, that exposes the private crypto keys, and a buffer overflow, not exploitable if the non-default options are set.

  5. LibreSSL? by Anonymous Coward · · Score: 1

    Wait, isn't this the same people making LibreSSL and a big fuzz about OpenSSL being insecure and leaving old and unused code around? Isn't this pretty much OpenSSH's Hearblead? Guess what we need know is a LibreSSH project.

    1. Re:LibreSSL? by explicit_bzero · · Score: 1

      Go read http://undeadly.org/cgi?action... and https://www.qualys.com/2016/01... Come back and maybe (just maybe) you'll find what exactly is wrong in your post.

    2. Re:LibreSSL? by Anonymous Coward · · Score: 0

      If you add up all of the remote exploitable code that OpenBSD+OpenSSH have had in the past 20 years, OpenSSL still had more bugs being found EVERY WEEK for a few months. Magnitudes difference in the number of security issues.

    3. Re:LibreSSL? by gweihir · · Score: 1

      Not comparable.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  6. Re:...and when you scroll all the way to the botto by kthreadd · · Score: 3, Informative

    “Its exploitation requires two non-default options: a ProxyCommand, and either ForwardAgent (-A) or ForwardX11 (-X),” Qualys said. “This buffer overflow is therefore unlikely to have any real-world impact.”

    99.9% of all *nix servers on the planet with SSH on them do not use either option. Good that they patched it, but otherwise, I don't think I'm going to be in a massive hurry to do a crash-patching this weekend.

    It's a client-side bug, and both agent and X11 forwarding are fairly common there.

  7. Location of ssh_config on OS X by Anonymous Coward · · Score: 2, Informative

    This file is in /etc/ssh/ssh_config

    The line to add is: UseRoaming no

    What is the recommended upgrade path here, waiting for an OS X patch, or manually installing and upgrading via brew tap homebrew/dupes and brew install openssh?

    I'm confused about what vest practice is for keeping homebrew installed packages that are security critical up to date. It seems cumbersome to do a brew update and brew info every so often. What is the automated solution here?

    1. Re:Location of ssh_config on OS X by Anonymous Coward · · Score: 1

      This file is in /etc/ssh/ssh_config

      The line to add is: UseRoaming no

      What is the recommended upgrade path here, waiting for an OS X patch, or manually installing and upgrading via brew tap homebrew/dupes and brew install openssh?

      I'm confused about what vest practice is for keeping homebrew installed packages that are security critical up to date. It seems cumbersome to do a brew update and brew info every so often. What is the automated solution here?

      Should be:
      Host *
      (-> tab over) UseRoaming no

      Put a tab before 'UseRoaming no' - http://www.undeadly.org/cgi?action=article&sid=20160114142733

  8. Wait WHAT? by cfalcon · · Score: 2

    Why is the DEFAULT option to USE a feature that doesn't even work? Not only is the experimental code in the baseline for some reason, not only is it nonfunctional (and therefore not testable), but it's ENABLED BY DEFAULT?

    Bug, or someone's feature?

    1. Re:Wait WHAT? by Anonymous Coward · · Score: 1

      It's a bug.

      These things happen.

      Sincerely,
      The NSA.

    2. Re:Wait WHAT? by gweihir · · Score: 2

      Only two options: 1. extreme stupidity coupled with completely unprofessional behavior or 2. malicious intent. This is just far too nice and works too well with the recently discovered backdoors in Firewalls (which are devices you would use SSH to log into) to be an accident IMO. Finger-pointing with evidence is pretty much a must at this point.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  9. Correct me if I am wrong by The-Ixian · · Score: 1

    But since this is a client bug, you would actually have to connect to a malicious SSHD session, correct?

    If that is the case... I don't see how this is a huge deal. Who SSH's to weird unknown servers?

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:Correct me if I am wrong by Anonymous Coward · · Score: 0

      Who says an attacker hasn't infected sshd on the good and well-known server?

    2. Re:Correct me if I am wrong by Anonymous Coward · · Score: 1

      Or, for that matter, that your connection to the good server hasn't been re-routed to an evil one?

      (The NSA likes to do that kind of thing)

    3. Re:Correct me if I am wrong by Anonymous Coward · · Score: 1

      Script-kiddies working for China/Russian Government.

      Shame this feature got patched. It sounds like it was a really great "cracker-jacker"! Suddenly every server compromised by the script-kiddies is a honeypot for the NSA. This is a great example of how a "good offense is a good defense". Or maybe: "how a suspiciously weak defense may be an offense in disguise?"

      IDK: the point is, having damn near 100% transparency, on every SSH shell, on damn near every single bad guy tunnel is pretty fucking neat for the good guys trying to anticipate threats/steal zero-day exploits and impale the enemy on their own sword!

      The good news: these same script kiddies probably don't burn a new Kali/Backtrack image very often, and... jesus fuck: they're almost all using the same private default key! lmao

    4. Re:Correct me if I am wrong by Anonymous Coward · · Score: 0

      You might have a bigger problem than a malicious sshd if attackers are able to change a daemon on your server.

    5. Re:Correct me if I am wrong by kthreadd · · Score: 2

      Not necessarily. If the attacker only has access to that one server then that's just one server. If the attacker was able to get my private ssh key then the attacker now has access to all servers. Neither situations are great but that's a pretty big difference.

    6. Re:Correct me if I am wrong by SlashdotOgre · · Score: 2

      That's my understanding as well, and I generally agree with your sentiment for home use however it is still a pretty significant bug. For most folks that always connect to the same systems that you trust, it's not a big issue. However if you're in a position where you're constantly connecting to new servers (i.e. at a large company), the fact that your private key can be leaked is very scary. Normally the biggest risk of connecting to an unknown server is getting your password stolen (i.e. A bad actor with dtrace access can debug sshd), but they would normally still not get your private key. With this but, a bad actor can easily get both.

      --
      Sadly, PS/2 was yet another victim of USB, which doesn't care what you plug into it, the electrical slut.
    7. Re:Correct me if I am wrong by Carewolf · · Score: 1

      But since this is a client bug, you would actually have to connect to a malicious SSHD session, correct?

      If that is the case... I don't see how this is a huge deal. Who SSH's to weird unknown servers?

      It is pretty common for git. Upload your public key and then connect using git over SSH. All it takes from then is to compromise the git-servers, or use a DNS attack to get the connection to the wrong servers.

    8. Re:Correct me if I am wrong by Xtifr · · Score: 1

      And before that, it was common with CVS & SVN. Probably with Mercurial, Bazaar, and Arch as well.

    9. Re:Correct me if I am wrong by Xtifr · · Score: 1

      In addition to all the version control software that supports "ssh:" protocols (from CVS up through git), there's those servers at work that lots of us connect to, without knowing who may have installed what on them.

      Of course, if your work has rogue admins who are installing trojan ssh servers (or are simply so bad at their jobs that they allow outsiders to install trojan ssh servers), then you've definitely got bigger problems. But fixing the leak on your side and updating your keys will at least cover your ass.

    10. Re:Correct me if I am wrong by marcansoft · · Score: 1

      The vulnerability is after host authentication, so that would trigger the usual host key mismatch red flags.

  10. SSH Agent by dskoll · · Score: 1

    Apparently, if you use ssh-agent then the keys in the agent cannot be leaked with this exploit.

    Finally, for these three reasons, passphrase-encrypted SSH keys are leaked in their encrypted form, but an attacker may attempt to crack the passphrase offline. On the other hand, SSH keys that are available only through an authentication agent are never leaked, in any form.

    Whew... I always use ssh-agent. But I've added UseRoaming no to all my boxes just to be safe anyway.

  11. Re:...and when you scroll all the way to the botto by bobthesungeek76036 · · Score: 1

    Are there CVEs for these?

    --
    Karma: Bad
  12. Re:...and when you scroll all the way to the botto by Anonymous Coward · · Score: 1

    Yes. CVE-2016-0777 and CVE-2016-0778.

  13. 5.4 to 7.1? by Anonymous Coward · · Score: 0

    The many eyes are very slow....

    1. Re:5.4 to 7.1? by rubycodez · · Score: 1

      for something that doesn't and can't apply in 99.99% of use cases....not losing any sleep over this vulnerability

  14. Malicious server by Anonymous Coward · · Score: 0

    A malicious server. I don't see how this can be exploited for anything useful. The client must have an account on the server and he must deliberately connect to it. So, it is an academic issue only.

    1. Re:Malicious server by Anonymous Coward · · Score: 0

      You've never had a legit server being exploited. This is a pretty good way to get the admin's ssh key. Now the attacker has access to every server.

  15. apt is *NOT* faster than slashdot by Froze · · Score: 2

    Thu 14 Jan 2016 :: 16:59:07 EST (-0500)

    # apt-get install openssh-client ...
    Get:3 http://security.debian.org/ jessie/updates/main openssh-client amd64 1:6.7p1-5+deb8u1 [691 kB]

    this is not 7.1p2 needed to mitigate this bug.

    Reposted non-anon to bump bonus

    --
    -- The morphemes of your disquisition are ascertainable, but they have eschewed an ambit of transpicuous exposition.
    1. Re:apt is *NOT* faster than slashdot by Anonymous Coward · · Score: 1

      Debian and other distributions frequently backport patches for older versions.

      I'm using: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.4, OpenSSL 1.0.1f 6 Jan 2014

      And it's patched for:
          * SECURITY UPDATE: information leak and overflow in roaming support
              - debian/patches/CVE-2016-077x.patch: completely disable roaming option
                  in readconf.c.
              - CVE-2016-0777
              - CVE-2016-0778

    2. Re:apt is *NOT* faster than slashdot by Froze · · Score: 1

      never mind, from the DSA, they back ported the changes

      For the stable distribution (jessie), these problems have been fixed in
      version 1:6.7p1-5+deb8u1.

      In my defense it does not say that in the advisory upon install...

      --
      -- The morphemes of your disquisition are ascertainable, but they have eschewed an ambit of transpicuous exposition.
  16. We need APPenSSH! by Anonymous Coward · · Score: 0

    Modern app appers know that only apps can app apps, so if it was changed to AppenSSH, it would use apps to app apps, not LUDDITE security keys!

    Apps!

  17. Affects me, the last two companies I worked for by raymorris · · Score: 4, Informative

    This issue affects anyone who connects to customer machines via SSH. If ANY customer machine is infected, the attacker can read my private key, which allows them to connect to and potentially infect ALL of my customers.

    Consider a hosting provider such as Rackspace or Hostgator. The Hostgator sysadmin spends his day connecting to various servers used by Hostgator customers. As soon as he logs into one server which is infected, the bad guys have his keys and can use them to infect ALL Hostgator servers, tens of thousands of servers.

    1. Re:Affects me, the last two companies I worked for by marcansoft · · Score: 4, Informative

      Only if you don't use an SSH agent. If you use an agent to store your keys, they are safe. Even if your keys leak because you're not using an agent, they can only leak in encrypted form (you use passphrases, don't you?). When the vulnerability is about to be triggered, a strange message (connection suspended, press return to resume) appears and must be dismissed (if you ^C at that point, you are safe).

      In otherwords, this is a panic situation only for people using non-passphrased keys and no SSH agent. You also have to accept a prompt that is not normal and should raise red flags before the vulnerability can happen. People who fit that description probably have other security problems to worry about.

      More realistically, you should patch your servers if you use any kind of SSH-based automation (e.g. where one master server uses SSH to automate tasks on slaves), since this allows an attacker to escalate from a target machine to the automation machine. But that requires first compromising the target, so it is not an emergency situation (unless your machines are already compromised and you don't know it, in which case, again, you have bigger problems).

    2. Re:Affects me, the last two companies I worked for by Anonymous Coward · · Score: 0

      Passphrases are great, but once the attacker has your private key, they can begin brute force attacks on it. In a normal SSH handshake, the private key is not transmitted (duh!) and so brute-force is not a problem.

      I'm an admin, and I do not connect to random serves, and I have no reason to suspect that my key has been compromised.

      That said, I have patched all servers, will be revoking all currently-trusted keys and re-generating new ones, and disabling the roaming feature on any client that cannot be upgraded (e g OS X).

  18. Here is a script to disable UseRoaming in OSX by lanimreT · · Score: 2

    Script to disable UseRoaming in Apple OS X https://gist.github.com/logica...

    --
    @LogicalMethods | www.sneaksneak.org
  19. Strikes me as an intentional vulnerability by gweihir · · Score: 0

    I.e. as an intentional attack against the OpenSSH project. First, nobody in any halfway professionally run project deploys experimental code to to production, especially when said code does nothing because the server-side implementation is missing. Activating it per default is also extremely suspicious. And second, the last backdoors found in firewalls are in devices that you typically would use SSH to log in to, i.e. these devices could attack their users, extract the users private keys and then check for password-less SSH being possible to other devices these users control.

    What the OpenSSH project needs to be doing now is explain in detail who put that code in there, how it came to be deployed and how it came to be on by default despite it clearly being an experimental feature. They need to identify at least one person or one contributing entity of either extreme stupidity or of malicious intent. And then they need to take steps to make sure this does not happen again.

    OpenSSH has an excellent security track record, lets hope this is an isolated incident. Because if OpenSSH falls, most of the Internet infrastructure falls right after it.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  20. true, automated tasks the main risk by raymorris · · Score: 3, Interesting

    That's true, the main risk is automated scripts, which don't use an agent and won't notice the odd prompt. Again though that includes large installations like Rackspace, Hostgator, etc. Anybody who has thousands of servers doesn't log into each one individually all the time, they script updates, backups, configuration, etc. And several bulk protocols including rsync, git, etc run on top of ssh.

    I'm certainly got my attention because a system I'm responsible for has one heavily fortified gateway machine which has access to many customer servers. I'm glad the bad guys didn't know about this before the good guys did, as far as we know.

  21. Ditto! by antdude · · Score: 1

    The following packages will be upgraded:
        openssh-client openssh-server openssh-sftp-server
    3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
    Need to get 1,060 kB of archives.
    After this operation, 238 kB disk space will be freed.

    I wonder if oldstable/Wheezy got them quickly too?

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  22. OLD as old by Anonymous Coward · · Score: 0

    This same thing was few years ago, one kiwi actually made a tool for exploiting it. Back the was rumours about US alphabet soups involvement.