{"vuid":"VU#456088","idnumber":"456088","name":"OpenSSH Client contains a client information leak vulnerability and buffer overflow","keywords":["OpenSSH","ssh","buffer overflow"],"overview":"OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations.","clean_desc":"CWE-200: Information Exposure - CVE-2016-0777 According to the OpenSSH release notes for version 7.1p2 : The OpenSSH client code between 5.4 and 7.1 contains experimental support for resuming SSH-connections (roaming). The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys. The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers. CWE-122: Heap-based Buffer Overflow - CVE-2016-0778 According to Qualys, the API functions packet_write_wait() and ssh_packet_write_wait() may overflow in some scenarios after a successful reconnection. Qualys also notes that: The buffer overflow, on the other hand, is present in the default configuration of the OpenSSH client but its exploitation requires two non-default options: a ProxyCommand, and either ForwardAgent (-A) or ForwardX11 (-X). This buffer overflow is therefore unlikely to have any real-world impact, but provides a particularly interesting case study. For more information, please see Qualys's advisory. The CVSS score below is based on CVE-2016-0777.","impact":"A user that authenticates to a malicious or compromised server may reveal private data, including the user's private SSH key, or cause a buffer overflow that may lead to remote code execution in certain non-default configurations.","resolution":"Apply an update OpenSSH 7.1p2 has released to address these issues. Affected users are recommended to update as soon as possible. If update is currently not an option, you may consider the following workaround:","workarounds":"Disable the 'UseRoaming' Feature The vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the global ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.","sysaffected":"","thanks":"This issue was previously coordinated and publicly disclosed by the Qualys Security Advisory Team.","author":"This document was written by Brian Gardiner and Garret Wassermann.","public":["http://www.openssh.com/txt/release-7.1p2","https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt","http://undeadly.org/cgi?action=article&sid=20160114142733","https://github.com/openssh/openssh-portable/blob/8408218c1ca88cb17d15278174a24a94a6f65fe1/roaming_client.c#L70","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777","https://isc.sans.edu/forums/diary/OpenSSH+71p2+released+with+security+fix+for+CVE20160777/20613/","https://access.redhat.com/articles/2123781"],"cveids":["CVE-2016-0777","CVE-2016-0778"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2016-01-14T15:01:44Z","publicdate":"2016-01-14T00:00:00Z","datefirstpublished":"2016-01-14T19:01:42Z","dateupdated":"2016-01-20T19:49:51Z","revision":46,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"N","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"4.3","cvss_basevector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","cvss_temporalscore":"3.6","cvss_environmentalscore":"2.66306229441","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}