Advisory ID: 16-0003
Publish Date: 2016-02-01
Two vulnerabilities have been identified in the client implementation of OpenSSH, which, under certain circumstances would put a client SSH connection at risk of loss of sensitive information or denial of service.
The client implementation of OpenSSH in versions 5.4 to 7.1 includes code that under certain circumstances would put a client SSH connection at risk when connecting to a malicious server.
As per the OpenSSH release notes for 7.1p2 (as of 2016-01-19):
The OpenSSH client code between 5.4 and 7.1 contains experimental support for resuming SSH-connections (roaming).
The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys.
The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.
Additionally, the above versions of OpenSSH also expose client connections to potential denial of service attacks when connecting to malicious servers.
It should be noted that some security scanning products may identify Mitel products as vulnerable based on the version of OpenSSH identified. However, Mitel does not anticipate any products as being affected by this vulnerability.
While some Mitel products may include the affected versions of OpenSSH, these products do not provide a general purpose SSH client service, and are intended to operate as a SSH server to support remote connections. For these server products, the attacker would need to have administrative access to the server to exploit the client.
Mitigation / Recommended Action
Mitel products may introduce these changes in future releases as a precautionary measure. However, no action for Mitel products is required.
OpenSSH has provided steps for mitigation (see External References). Based on their recommendations, OpenSSH client installations should be updated to an unaffected version, or have support for roaming disabled, to protect against risk when connecting to untrusted hosts.
Related CVEs / Advisories