DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 15th January 2016
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Bug that can leak crypto keys just fixed in widely used OpenSSH

From http://arstechnica.com/security/2016...-used-openssh/

Quote:
Vulnerability allows malicious servers to read memory on connecting computers.

A critical bug that can leak secret cryptographic keys has just just been fixed in OpenSSH, one of the more widely used implementations of the secure shell (SSH) protocol.

The vulnerability resides only in the version end users use to connect to servers and not in versions used by servers. A maliciously configured server could exploit it to obtain the contents of the connecting computer's memory, including the private encryption key used for SSH connections. The bug is the result of code that enables an experimental roaming feature in OpenSSH versions 5.4 to 7.1

"The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys," OpenSSH officials wrote in an advisory published Thursday. "The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers."
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 15th January 2016
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

For a more direct and authoritative description see http://www.undeadly.org/cgi?action=a...&mode=expanded
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Tags
openssh, ssh, useroaming

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Staunch your Heartbleed patching: FreeBSD has a nasty credentials leak J65nko News 2 12th May 2014 06:40 PM
IPsec and fixed keys igy01 OpenBSD Security 2 19th February 2014 12:08 PM
Security DoS vulnerability in ModSecurity fixed J65nko News 0 29th May 2013 08:37 AM
Security Hackers leak '1 MILLION records' on Apple fanbois from FEDS J65nko News 4 11th September 2012 08:08 AM
Security Critical PHP vulnerability being fixed J65nko News 1 3rd February 2012 01:27 PM


All times are GMT. The time now is 01:27 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick