‘Serious’ security flaw in OpenSSH puts private keys at risk

A security vulnerability found in a widely-used open-source software has been described as “the most serious bug.”

A major vulnerability has been found and fixed in OpenSSH, an open-source remote connectivity tool using the Secure Shell protocol. The flaw was as a result of an “experimental” feature that allows users to resume connections.

More security news

According to a mailing list disclosing the flaw, a malicious server can trick an affected client to leak client memory, including a client’s private user keys.

The affected code enabled by default in OpenSSH client versions 5.4 to 7.1. The matching server code was never shipped, the mailing list said.

The flaw doesn’t have a catchy name unlike some other previous flaws, but disabling client-side roaming support fixes the issue.

A security patch — version 7.1p2 — is now available from the project’s website.

Release notes for the patch said the information leak is “restricted to connections to malicious or compromised servers.”

The flaw, which is said to be years’ old, was found by Qualys’ security advisory team. When reached on Thursday, the security firm did not immediately comment at the time of writing.

The security company later on Thursday published a lengthy post, including a proof-of-concept, effectively lighting a fire under every affected OpenSSH client.

It’s not clear if the vulnerability was privately reported to OpenSSH developers prior to its publication.

The flaw is thought to be one of the most severe flaws found in the open-source software in years.

Security researcher Kenneth White said in a tweet following the news breaking: “When there’s a serious security bug in the remote access tool used by 70-plus-percent of the servers in the world, people sit up and take notice.”

The software is also used on many (if not most) commercial routers and firewalls, said White in a follow-up email.

Read more on ZDNet:

Red Hat, CentOS, and Amazon Linux distributions are “mostly” unaffected by the bug, he said. But not everyone escaped some level of trouble.

Canonical said in an advisory that its Ubuntu operating system, versions 12.04, 1404, 15.04, and 15.10 are affected by the flaw. Red Hat Enterprise Linux (RHEL) versions 4, 5, and 6 are not affected, but some versions of RHEL 7 prior to March 2015 are impacted by the bug.

White said in an email that it’s “difficult to say” how big the impact will be.

He said many hundreds of thousands of Linux servers that connect to other systems — backup servers, for example — are are at risk of having their SSH admin keys stolen.”

“Developers and admins are advised to regenerate and rotate keys to systems they touch, whether for hobby [or] weekend projects, or more sensitive servers — including Github,” he added.

Bottom line? Patch now, and patch fast.

This post has been updated.