A critical vulnerability that can leak private cryptographic keys has just been patched in OpenSSH, a widely used implementation of the secure shell (SSH) protocol.
The vulnerability exists only within the version end users use to connect to servers and not the versions configured on the servers themselves. An attacker would need to control a malicious server that could exploit the end user to force the client to give up the cryptographic keys. The critical flaw stems from code that enables an experimental roaming feature in OpenSSH versions 5.4 through 7.1.
“The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys,” OpenSSH said in an advisory published Thursday. “The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.”
OpenSSH urged anyone running a vulnerable version to update immediately. However, those who are unable to update should disable the vulnerable roaming by adding “UseRoaming no” to the global ssh_config(5) file.
According to a separate advisory published by the company who discovered and responsibility disclosed the vulnerability, Qualys, said the information leak can be exploited strictly after the end user has been successfully authenticated by the server. While this drastically reduces the chance of the flaw being exploited in the wild, Qualys researchers proposed the possibility that highly sophisticated attackers could have already made use of the bug, by possibly compromising legitimate servers trusted by end users. This type of exploit is perfect once attackers have already compromised a targeted server, allowing them to ensure they will retain continued access in the event their initial access point is patched.
“The information leak is exploitable in the default configuration of the OpenSSH client, and (depending on the client’s version, compiler, and operating system) allows a malicious SSH server to steal the client’s private keys,” Qualys officials said. “This information leak may have already been exploited in the wild by sophisticated attackers, and high-profile sites or users may need to regenerate their SSH keys accordingly.”
OpenSSH giving attackers the ability to read the RAM on a vulnerable machine has similarities to the catastrophic 2014 Heartbleed that affected the OpenSSL crypto library. However, Heartbleed was far more severe and widespread as it made it possible for anyone with even moderate hacking skills to exploit nearly any website using the OpenSSL library. Seeing as the OpenSSH bug can only be exploited after a vulnerable end user connects to a maliciously configured server has far less severity.