Qualys security researchers find flaw in OpenSSH client




Security researchers from Qualys have identified a vulnerability in the OpenSSH client. This makes it possible for an attacker to use a malicious SSH server to read from the memory of the client, which can leak out include security keys.

Terminal ssh telnet The Undeadly site shows that versions 5.4 to 7.1 of the OpenSSH client affected by the vulnerability, which has been given the identification cve-2016-0777. There is now a patch available at the 7.1p2 release of the software.

The authentication of the host key of the server would ensure that the vulnerability can not be used by a man-in-the-middle attack, but only via a malicious or infected server. As an alternative to the patch, users can add “UseRoaming no ‘to their ssh configuration file or the ssh command from the command line using the parameter” -oUseRoaming = no.

The bug could be caused by experimental code for resuming secure ssh connections in the client software OpenSSH has ended. The code, however, never made it to the server.


In: A Technology & Gadgets Asked By: [23254 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »