OpenSSH Patches Critical Flaw That Could Leak Private Crypto Keys

Share this…

OpenSSH today released a patch for a critical vulnerability that could be exploited by an attacker to force a client to leak private cryptographic keys.

The attacker would have to control a malicious server in order to force the client to give up the key, OpenSSH and researchers at Qualys said in separate advisories. Qualys’ security team found the vulnerability Jan. 11 and the OpenSSH team had it patched within three days.

The vulnerability was found in a non-documented feature called roaming that supports the resumption of interrupted SSH connections.

OpenSSH Patches Critical Flaw That Could Leak Private Crypto Keys

“The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys,” OpenSSH said in its advisory. “The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.”

Qualys chief technology officer Wolfgang Kandek told Threatpost that organizations should patch their OpenSSH implementations immediately, and regenerate their private keys as a precaution. Neither OpenSSH nor Qualys said they are aware of attacks exploiting the vulnerability, but both caution it’s not out of the realm of possibility that someone has already found the bug.

“It’s not a difficult vulnerability,” Kandek said. “From now on, patching is very important. Organizations need to get quickly to a point where they not vulnerable. Now that this is out, it’s sure to be implemented in exploit tools.”

OpenSSH said client code between versions 5.4 and 7.1 are vulnerable as it contains the roaming support. OpenSSH said that organizations may disable the vulnerable code by adding “UseRoaming no” to the global ssh_config(5) file.

The vulnerability harkens back to the Heartbleed vulnerability, in which an attacker could force key information to leak. Heartbleed, however, was much more dangerous in scope since attacks against this OpenSSH bug require the client to initiate a server connection.

“The information leak is exploitable in the default configuration of the OpenSSH client, and (depending on the client’s version, compiler, and operating system) allows a malicious SSH server to steal the client’s private keys,” Qualys said in its advisory. “This information leak may have already been exploited in the wild by sophisticated attackers, and high-profile sites or users may need to regenerate their SSH keys accordingly.”

There was a second vulnerability patched as well, a buffer overflow in the default OpenSSH client configuration, Qualys said.

“Its exploitation requires two non-default options: a ProxyCommand, and either ForwardAgent (-A) or ForwardX11 (-X),” Qualys said. “This buffer overflow is therefore unlikely to have any real-world impact.”