Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'Serious' security flaw in OpenSSH puts private keys at risk:ZDnet


  • Please log in to reply
5 replies to this topic

#1 JohnC_21

JohnC_21

  • Members
  • 23,250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:53 AM

Posted 14 January 2016 - 06:24 PM

A security vulnerability found in a widely-used open-source software has been described as "the most serious bug."

major vulnerability has been found and fixed in OpenSSH, an open-source remote connectivity tool using the Secure Shell protocol. The flaw was the result of an "experimental" feature that allows users to resume connections

According to a mailing list disclosing the flaw, a malicious server can trick an affected client to leak client memory, including a client's private user keys.

The affected code is enabled by default in OpenSSH client versions 5.4 to 7.1. The matching server code was never shipped, the mailing list said.

The flaw doesn't have a catchy name like some other previous flaws, but disabling client-side roaming support fixes the issue.

The flaw, which is said to be years old, was found by Qualys' security advisory team.

 

Wolfgang Kandek, chief technology officer at Qualys, confirmed in an email that the company disclosed the bugs to the OpenSSH team on January 11, and commended the team for working "incredibly fast" to get a patch out three days later.

"Developers and admins are advised to regenerate and rotate keys to systems they touch, whether for hobby [or] weekend projects, or more sensitive servers -- including Github," he added.

Bottom line? Patch now, and patch fast.

 

 

Article


Edited by JohnC_21, 14 January 2016 - 06:25 PM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:53 AM

Posted 14 January 2016 - 06:38 PM

HeartBleed 2.0?

 

*Frantically checks all administered servers*


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Googulator

Googulator

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:53 PM

Posted 15 January 2016 - 02:24 PM

I suggest SSHOLE.



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:53 PM

Posted 17 January 2016 - 11:41 AM

HeartBleed 2.0?

 

*Frantically checks all administered servers*

 

You need to update OpenSSH on the servers too, but it's the client that is affected by this vulnerability.


Edited by Didier Stevens, 17 January 2016 - 11:52 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:53 AM

Posted 17 January 2016 - 12:47 PM

 

HeartBleed 2.0?

 

*Frantically checks all administered servers*

 

You need to update OpenSSH on the servers too, but it's the client that is affected by this vulnerability.

 

 

Ya I know,  I was being sarcastic. :P

 

Updating Putty should be sufficient for most people, if even that. My servers don't SSH to each other, so I didn't really have anything to do (OpenSSH isn't even installed).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:53 PM

Posted 17 January 2016 - 02:08 PM

 

 

HeartBleed 2.0?

 

*Frantically checks all administered servers*

 

You need to update OpenSSH on the servers too, but it's the client that is affected by this vulnerability.

 

 

Ya I know,  I was being sarcastic. :P

 

Updating Putty should be sufficient for most people, if even that. My servers don't SSH to each other, so I didn't really have anything to do (OpenSSH isn't even installed).

 

 

I'm pointing it out for other readers who might not understand that you were joking.

 

The vulnerabilities (CVE-2016-0777 and CVE-2016-0778) are for OpenSSH, not for Putty.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users