OpenSSH: Buffer overflow in roaming code (CVE-2016-0778)
This document (7017155) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
SUSE Linux Enterprise Server 12 for SAP Applications Service Pack 1
SUSE Linux Enterprise Server 12 for SAP Applications
SUSE Linux Enterprise Server 11 for SAP Applications Service Pack 4
SUSE Linux Enterprise Server 11 for SAP Applications Service Pack 3
Expanded Support 7 (RES 7)
Situation
If the connection to a SSH server breaks unexpectedly and if the server supports roaming as well, the client is able to reconnect to the server and resume the suspended SSH session.
Although roaming is not supported by the OpenSSH server, it is enabled by default in the OpenSSH client and contains a buffer overflow (heap-based).
Imporant: As mentioned above this is a Client vulnerability, not a server vulnerability.
Resolution
SLES 12 & SLES 12 SP1 - affected (not exploitable; OpenSSH 6.6)The vulnerable roaming code can be permanently disabled by adding the undocumented option "UseRoaming no" to the system-wide configuration file (usually /etc/ssh/ssh_config), or per user configuration file (~/.ssh/config), or command-line (-o "UseRoaming no").
- SUSE Patch was released on January 14th, 2016
- openssh-6.6p1-33.1
- openssh-cavs-6.6p1-33.1
- openssh-fips-6.6p1-33.1
- openssh-helpers-6.6p1-33.1
SLES 11 SP4 - affected (not exploitable; OpenSSH 6.6)
- SUSE Patch was released on January 14th, 2016
- openssh-6.6p1-16.1
- openssh-cavs-6.6p1-16.1
- openssh-fips-6.6p1-16.1
- openssh-helpers-6.6p1-16.1
SLES 11 SP3 - affected (OpenSSH 6.2; only for keys >4k)SLES 11 SP2 - safe & NOT affected (OpenSSH 5.1p1)
- SUSE Patch was released on January 14th, 2016
- openssh-6.2p2-0.24.1
- openssh-askpass-6.2p2-0.24.1
SLES 11 SP1 - safe & NOT affected (OpenSSH 5.1p1)
SLES 10 SP4 - safe & NOT affected (OpenSSH 5.1p1
SLES 10 other SP - not affected
Expanded Support 7 (RES 7) - affectedExpanded Support 5 & 6 (RES 5 & RES 6) - not affected
- Patch has been released 15th January 2016
- openssh-6.6p1-23.el7_2.1
SUSE also recommends recreating all client keys, at least the important ones. It is not known that this was already exploited but it is possible.
Cause
Additional Information
Details on this can also be found in this Qualys advisory . SUSE would like to thank Qualys for the detailed report of this issue.
For CVE-2016-0777 please review TID#7017154
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7017155
- Creation Date: 14-Jan-2016
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com