The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Update OpenSSH client

Discussion in 'Security' started by Skin, Jan 18, 2016.

  1. Skin

    Skin Well-Known Member

    Joined:
    Feb 3, 2006
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Italy
    Hello,
    I've received this e-mail from my vps provider:
    Protecting Against CVE-2016-0777 and CVE-2016-0778

    Posted: 15 Jan 2016 08:36 AM PST

    Overview
    A flaw in OpenSSH, discovered and reported by Qualys on Jan. 14, 2016, could potentially allow an information leak (CVE-2016-0777) or buffer overflow (CVE-2016-0778) via the OpenSSH client. Specifically, an undocumented feature called roaming, introduced in OpenSSH version 5.4, can be exploited to expose a client’s private SSH key.

    Impact
    The roaming feature, which allows clients to reconnect to the server automatically should the connection drop (on servers supporting the feature), can be exploited in the default configuration of OpenSSH clients from versions 5.4 through 7.1p1, but is not supported in the default configuration of the OpenSSH server.

    All versions of OpenSSH clients from 5.4 through 7.1p1 are affected for anyone who connects via SSH on the following operating systems:

    • Linux
    • FreeBSD
    • Mac OS X
    • Windows when using OpenSSH for Windows
    The following are not affected:

    • OpenSSH servers in default configuration
    • Windows users utilizing PuTTY to connect
    • Connections not authenticated via an SSH key
    Summary
    A connection made from an affected client to a compromised or malicious server which uses an SSH key for authentication potentially could expose all or part of the user’s private SSH key.

    If the key utilized to authenticate the connection is encrypted, only the encrypted private key could be exposed. However, a malicious party could attempt to brute-force the password offline after obtaining the encrypted key.

    Is Your SSH Client Vulnerable?
    You can check the version of your SSH client by running the following command:

    ssh -V

    That will produce output similar to:

    workstation$ $ ssh -V
    OpenSSH_7.1p2, OpenSSL 1.0.2e 3 Dec 2015

    If the version is below 7.1p2, the SSH client is affected.

    I checked my ssl version and it is an old OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013

    I tried to update
    Code:
    yum clean all && yum update
    
    But there are not updates for the SSH Client.

    How can I update? Is this openssh version insecure?
    Thanks

    P.S. my operating system is CentOS Linux release 7.1.1503
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Please keep in mind that updates to the OpenSSH package are shipped by your OS vendor (e.g. CentOS, Red Hat). This often comes in the form of a patch to the existing version of the package. Here's an example of a command you can run to determine if a patch for these vulnerabilities has been implemented:

    Code:
    rpm -q --changelog openssh | grep CVE-2016
    You should see this output:

    Code:
    - prevents CVE-2016-0777 and CVE-2016-0778
    Thank you.
     
    eva2000 and Skin like this.
  3. Skin

    Skin Well-Known Member

    Joined:
    Feb 3, 2006
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Italy
    Hello,
    I've tried with
    Code:
    rpm -q --changelog openssl | grep CVE-2016
    but nothing happens
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. Skin

    Skin Well-Known Member

    Joined:
    Feb 3, 2006
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Italy
    I've update my /etc/ssh/ssh_config
    Code:
    echo 'UseRoaming no' | sudo tee -a /etc/ssh/ssh_config
    Should I generate new keys?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Were you able to determine if the security patches were backported to the version of OpenSSH installed on your system?

    Thank you.
     
  7. Skin

    Skin Well-Known Member

    Joined:
    Feb 3, 2006
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Italy
    If I try with
    Code:
    rpm -q --changelog openssh | grep CVE-2016
    nothing happens.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    In regards to changing SSH keys, I did change mine, because paranoia is cheap and incident response is not.

    In regards to updates, you will probably not see updates on centOS 4/5/6 (4 is EOL anyway) because they were unaffected. CentOS 7 may receive updates per the information below:

    OpenSSH: Information-leak vulnerability (CVE-2016-0777) - Red Hat Customer Portal

    Affected Products
    • Red Hat Enterprise Linux 4, 5, and 6 are not affected by this flaw because they include OpenSSH versions older than 5.4, and hence do not implement the roaming feature.
    • Red Hat Enterprise Linux 7 since version 7.1 has provided OpenSSH 6.6 for which the default configuration is not affected by this flaw. OpenSSH 6.6 is only vulnerable to this issue when used with certain non-default ProxyCommand settings. Security update RHSA-2016-0043 corrects this issue.
    • Red Hat Enterprise Linux 7 prior to version 7.1 (released in March 2015) provides OpenSSH 6.4 and is impacted regardless of the use of the ProxyCommand settings. The OpenSSH packages were updated from version 6.4 to version 6.6 in Red Hat Enterprise Linux 7.1 via RHSA-2015:0425.
     
    Skin likes this.
  10. Skin

    Skin Well-Known Member

    Joined:
    Feb 3, 2006
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Italy
    If I run yum update there are no packages marked for update:
    @quizknows
    Thanks
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I suggest consulting with your provider to determine why your system is not updating to the latest version of CentOS or why you are not receiving package updates. It's possible you are using invalid YUM repo files.

    Thank you.
     
Loading...

Share This Page