Flaw allows malicious OpenSSH servers to steal users’ private SSH keys

Qualys researchers have discovered two vulnerabilities in the popular OpenSSH implementation of the secure shell protocol, one of which (CVE-2016-0777) could be exploited by attackers to extract users’ private cryptographic keys.

“The OpenSSH client code between 5.4 and 7.1 contains experimental support for resuming SSH-connections (roaming). The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys,” OpenSSH officials explained in an advisory.

“It is an Information Disclosure bug, so on the CVSS scale, it probably it does not rank as critical. However, the information disclosed are SSH keys, which are widely used for automation of system administration tasks and interactive logins,” noted Qualys CTO Wolfgang Kandek.

“Gaining access to these keys would allow an attacker to pose as owner of the keys, often then with system administration privileges. System administrators can typically install anything they want on the target system including backdoors and malware. The criticality being formally low is similar to Heartbleed, which also has a low CVSS score, but is a very serious vulnerability due to information that can be leaked.”

“An attacker has to control the SSH server to implement the attack. This means the attacker is already at system administrator level on the server that users connect to, which is already an exceptional security situation and should be pretty rare. A mere MITM position is not enough to run the attack, i.e. listen on the network is not powerful enough, he explained.

“But if the attacker has control of the SSH server, he can implement the exploit and then gain access to the private keys of the users – these private keys can then be used to impersonate the user and log into other systems. Since SSH is often used to automate system administration processes, getting a such a private key would provide very broad access to an infrastructure.”

More details about this and the buffer overflow bug discovered by Qualys and responsibly disclosed to the OpenSSH team can be found in this advisory. PoC code is also included.

“This information leak may have already been exploited in the wild by sophisticated attackers, and high-profile sites or users may need to regenerate their SSH keys accordingly,” the company also pointed out.

They advise users to upgrade their OpenSSH implementation as soon as possible.

“If you cannot patch immediately, set Use Roaming to Off. This should be easy for personal systems, but probably needs testing in automated scenarios to ensure that no unwanted side effects occur – these are unexpected, but it makes sense to test that everything still works as normal. If you can regenerate your SSH keys, address where somebody exploited the vulnerability already and your keys have been leaked.”