Qualys security researchers find flaw in OpenSSH client




Security researchers from Qualys have identified a vulnerability in the OpenSSH client. This makes it possible for an attacker to use a malicious SSH server to read from the memory of the client, which can leak out include security keys.

Terminal ssh telnet The Undeadly site shows that versions 5.4 to 7.1 of the OpenSSH client affected by the vulnerability, which has been given the identification cve-2016-0777. There is now a patch available at the 7.1p2 release of the software.

The authentication of the host key of the server would ensure that the vulnerability can not be used by a man-in-the-middle attack, but only via a malicious or infected server. As an alternative to the patch, users can add “UseRoaming no ‘to their ssh configuration file or the ssh command from the command line using the parameter” -oUseRoaming = no.

The bug could be caused by experimental code for resuming secure ssh connections in the client software OpenSSH has ended. The code, however, never made it to the server.


In: A Technology & Gadgets Asked By: [20441 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »

Star Points Scale

Earn points for Asking and Answering Questions!

Grey Sta Levelr [1 - 25 Grey Star Level]
Green Star Level [26 - 50 Green Star Level]
Blue Star Level [51 - 500 Blue Star Level]
Orange Star Level [501 - 5000 Orange Star Level]
Red Star Level [5001 - 25000 Red Star Level]
Black Star Level [25001+ Black Star Level]