[FIXED 6.1.7] OpenSSH: client bug CVE-0216-0778

NAS

By NAS
in Security

Recommended Posts

NAS Experienced

NAS

Posted
Posted

http://undeadly.org/cgi?action=article&sid=20160114142733

 

As it stands this looks like it will be an urgent fix to deploy.

 

* SECURITY: ssh(1): The OpenSSH client code between 5.4 and 7.1

  contains experimential support for resuming SSH-connections (roaming).

 

  The matching server code has never been shipped, but the client

  code was enabled by default and could be tricked by a malicious

  server into leaking client memory to the server, including private

  client user keys.

 

  The authentication of the server host key prevents exploitation

  by a man-in-the-middle, so this information leak is restricted

  to connections to malicious or compromised servers.

 

  MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client

  can be completely disabled by adding 'UseRoaming no' to the gobal

  ssh_config(5) file, or to user configuration in ~/.ssh/config,

  or by passing -oUseRoaming=no on the command line.

Link to comment
jonp Mentor

jonp

Posted
Posted

http://undeadly.org/cgi?action=article&sid=20160114142733

 

As it stands this looks like it will be an urgent fix to deploy.

 

* SECURITY: ssh(1): The OpenSSH client code between 5.4 and 7.1

  contains experimential support for resuming SSH-connections (roaming).

 

  The matching server code has never been shipped, but the client

  code was enabled by default and could be tricked by a malicious

  server into leaking client memory to the server, including private

  client user keys.

 

  The authentication of the server host key prevents exploitation

  by a man-in-the-middle, so this information leak is restricted

  to connections to malicious or compromised servers.

 

  MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client

  can be completely disabled by adding 'UseRoaming no' to the gobal

  ssh_config(5) file, or to user configuration in ~/.ssh/config,

  or by passing -oUseRoaming=no on the command line.

 

While we will patch this, it's actually not as urgent as you think.  This is an SSH CLIENT issue, not a server issue.  While we do include the ssh client with unRAID, the bug is only relevant if you are using it to initiate an SSH session from unRAID to another system, which isn't something we directly support or suggest (it would require you to login via command line to do this).  Connections TO unRAID from other devices does not make unRAID vulnerable to this bug.

Link to comment
jonp Mentor

jonp

Posted
Posted

Keep in mind that some people use rsync over ssh to remote servers locally and over the internet (and over a VPN).

Which is why we will patch it, but that isn't technically something we directly support or even suspect a large percentage of our users to be doing.  Just trying to highlight the difference in criticalness between this type of bug that only affects a few extra savvy users compared to the majority that restrict themselves to the confines our what unRAID OS provides through the webgui.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing