Vulnerability affecting OpenSSH

Vulnerability affecting OpenSSH

Yesterday, the OpenSSH project reported a client side vulnerability affecting OpenSSH versions 5.4 to 7.1. The vulnerability could cause an SSH client to leak key information, potentially exposing users to man-in-the-middle attacks. The vulnerability could allow a malicious SSH server to make the OpenSSH client leak memory contents, including data such as private keys. The vulnerability exists only after a client has successfully authenticated with a malicious SSH server. The vulnerability only exists in the client, not the server software itself.

This issue affects all OpenSSH clients between 5.4 and 7.1 on most modern operating systems including Linux, FreeBSD and Mac OSX. More information can be found here.

While patches and updates are being rolled out for affected distributions, the feature causing this security issue can be disabled manually in order to resolve the issue. For any systems that cannot be patched yet, the recommended client configuration change is to add the following to the global /etc/ssh/ssh_config or your own local ~/.ssh/config file:

UseRoaming no

Once you have done this, you should close any open SSH sessions in order for the change to be effective.

If you’re unsure: regenerate all your key pairs

If you suspect someone may have gained access to your private keys using this vulnerability, or if you want to be sure just in case, you should regenerate all of your key pairs and upload the new public keys to your servers.

Was this article helpful?


Next article:

Public OpenStack Cloud Workshops

On February 16 we will organize an intermediate level workshop with the subject ‘working with OpenStack API’s’. The workshop will take place at our office in Alkmaar and starts at 16:00 hrs. On March 8, we will organize another beginner course; ‘Start working with OpenStack’. We are also working on an advance level course, which will take place in Q2.

Improved performance and more features

BRAND NEW PLATFORM

Start NOW! More information