OpenSSh client’s past version had a flaw that allows the hackers to read users’ private authentication keys for secure shell (SSH) protocol. This was due to a new feature introduced recently called roaming. Since 2010, OpenSSH clients after v5.4 this feature was enabled by default. This has been taken care of in the latest version OpenSSH 7.1p2. This issue allows a server to read information from a connecting client’s memory, including its private keys.#OpenSSH Patch for Bug That Exposes Private #SSH keys #Encryption #Security Click To Tweet
The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys.
As per the release from Openssh, the following ways are available now to handle. The link also has the patch to disable this feature.
SECURITY: Fix an out of-bound read access in the packet handling
code. Reported by Ben Hawkes.
PROTOCOL: Correctly interpret the ‘first_kex_follows’ option during
the intial key exchange. Reported by Matt Johnston.
Further use of explicit_bzero has been added in various buffer
handling code paths to guard against compilers aggressively
doing dead-store removal.
Networkworld discusses the serious implications of this bug.
The theft of users’ private SSH keys through this vulnerability could give attackers persistent access to servers compromised through other means. Even if the initial entry points used by the hackers were to be identified and fixed, they would still have SSH keys to log in as legitimate users.
In addition, some people reuse their SSH keys across multiple servers, just as some people reuse their passwords across multiple websites. This means that the compromise of a user’s SSH key could put more than one server at risk.
“This information leak may have already been exploited in the wild by sophisticated attackers, and high-profile sites or users may need to regenerate their SSH keys accordingly,” the Qualys researchers said in an advisory.
So, if you are using OpenSSH, please go ahead and get the fix ASAP!