Operating System:

[Debian]

Published:

15 January 2016

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2016.0113 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0113
                          openssh security update
                              15 January 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openssh
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 8
Impact/Access:     Access Privileged Data          -- Remote/Unauthenticated
                   Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-0778 CVE-2016-0777 

Reference:         ESB-2016.0111

Original Bulletin: 
   http://www.debian.org/security/2016/dsa-3446

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3446-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
January 14, 2016                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : openssh
CVE ID         : CVE-2016-0777 CVE-2016-0778
Debian bug     : 810984

The Qualys Security team discovered two vulnerabilities in the roaming
code of the OpenSSH client (an implementation of the SSH protocol
suite).

SSH roaming enables a client, in case an SSH connection breaks
unexpectedly, to resume it at a later time, provided the server also
supports it.

The OpenSSH server doesn't support roaming, but the OpenSSH client
supports it (even though it's not documented) and it's enabled by
default.

CVE-2016-0777

    An information leak (memory disclosure) can be exploited by a rogue
    SSH server to trick a client into leaking sensitive data from the
    client memory, including for example private keys.

CVE-2016-0778

    A buffer overflow (leading to file descriptor leak), can also be
    exploited by a rogue SSH server, but due to another bug in the code
    is possibly not exploitable, and only under certain conditions (not
    the default configuration), when using ProxyCommand, ForwardAgent or
    ForwardX11.

This security update completely disables the roaming code in the OpenSSH
client.

It is also possible to disable roaming by adding the (undocumented)
option 'UseRoaming no' to the global /etc/ssh/ssh_config file, or to the
user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on
the command line.

Users with passphrase-less privates keys, especially in non interactive
setups (automated jobs using ssh, scp, rsync+ssh etc.) are advised to
update their keys if they have connected to an SSH server they don't
trust.

More details about identifying an attack and mitigations will be
available in the Qualys Security Advisory.

For the oldstable distribution (wheezy), these problems have been fixed
in version 1:6.0p1-4+deb7u3.

For the stable distribution (jessie), these problems have been fixed in
version 1:6.7p1-5+deb8u1.

For the testing distribution (stretch) and unstable distribution (sid), these
problems will be fixed in a later version.

We recommend that you upgrade your openssh packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCgAGBQJWl8KkAAoJEG3bU/KmdcClRNwH/0VVHlie4NzyktneCUYnPuU2
WpeiJLScW+Sgn9ZfaL4LD+RlvmH19YLaKirIula1Wp+f6poAAMrE+Zh2ZO6wH1XY
C3VG9mA3sZDkrgctKVqQ0jO9oY0kFsN8FbNduFH/qBycLZdsH6nQ1KyWRDuKfVql
4qJCoErmsc9w/Avlh/+WE7JFDRA+2TcGuXeHbmuSaxHAbR8+2PZ+4Z5xgUG/i7P2
KeQkFTHBewn0fBQsQxIAgkwvV58eKNScGcgEMBrwKcwxcXDmWg4ST8KQLLZ+oQct
mF1xWkNAnGNk6yfiGScv6TlY2JtVgfTTNN3gYjpbe/W4Wbqwp7xML90DRPzG7WQ=
=MOdR
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVphCQn6ZAP0PgtI9AQJfWxAAr86VEBAbWFnjhJunZwU5d5MrqLeGAdq2
lunp5UvxJ4Dmy9xEE3y6zmFn7EcRsJ/K4wqX5wwsXLN+7zejUTQ1W7bknBtWM3jr
8KypmDRVDgQTBKARQNy7zhwgvzggpBfEMDieBfSGIFIZecRKhrTERd15BIU7ZNrd
9aj1O7nK0WI5HH2iogXAewvWq5qX9pKBouo5v8sP5Nu1ooTFdJNpDML/E42rrm3j
9K9bmU0+/kqB9NRGM2b4Gvzb6Rg5+o6k509yGv1bMUsNSUJfMw8OOEU1x3iXwbZP
/y6go11D3cbb7vdE9Q6D0W57OXBc43TH4Rmuzkk3JHGKV3T4cO2S8felMQjUAfHW
CdVosKwNcs4fHX5tgu74anztX0gwyYH3i6bT44XEdiXlii9qYmLaKGx0aJ2ij3l9
cIiMxLsYmP+HXB+bhbJLXRm8TycEF+ORbkAAZk78C+F+WlEDv4q0wA9OC3drz7G+
LBLqOBnDGHKnP1PdNU5zO69zgIu0YAefa8/IbDuRLf80CIlPMTjCQA4ktRojED3w
9wn4W/vSVggAc6sKXIAxHvYYLPgAF7vtmMPOqTFoJxPk//iEzxrMxO4dYuPWhF51
Prf7T7/2RBskgxAXgXOWwyUJtyV7oiaMMcoAqptSUBsBBxDUnnV/XsvQP+oQKBsh
jZFctZDNkqs=
=xvvG
-----END PGP SIGNATURE-----