OpenSSH: Buffer overflow in roaming code (CVE-2016-0778)

This document (7017155) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 (SLES 12)
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)

SUSE Linux Enterprise Server 12 for SAP Applications Service Pack 1
SUSE Linux Enterprise Server 12 for SAP Applications
SUSE Linux Enterprise Server 11 for SAP Applications Service Pack 4
SUSE Linux Enterprise Server 11 for SAP Applications Service Pack 3

Expanded Support 7 (RES 7)

Situation

Since version 5.4 (released on March 8, 2010), the OpenSSH client supports an undocumented feature called "roaming":
If the connection to a SSH server breaks unexpectedly and if the server supports roaming as well, the client is able to reconnect to the server and resume the suspended SSH session.
Although roaming is not supported by the OpenSSH server, it is enabled by default in the OpenSSH client and contains a buffer overflow (heap-based).

Imporant: As mentioned above this is a Client vulnerability, not a server vulnerability.

Resolution

To ensure your servers are safe you have to install the following patches provided by SUSE:

SLES 12 & SLES 12 SP1 - affected (not exploitable; OpenSSH 6.6)
  • SUSE Patch was released on January 14th, 2016
  • openssh-6.6p1-33.1
  • openssh-cavs-6.6p1-33.1
  • openssh-fips-6.6p1-33.1
  • openssh-helpers-6.6p1-33.1

SLES 11 SP4 - affected (not exploitable; OpenSSH 6.6)
  • SUSE Patch was released on January 14th, 2016
  • openssh-6.6p1-16.1
  • openssh-cavs-6.6p1-16.1
  • openssh-fips-6.6p1-16.1
  • openssh-helpers-6.6p1-16.1

SLES 11 SP3 - affected (OpenSSH 6.2; only for keys >4k)
  • SUSE Patch was released on January 14th, 2016
  • openssh-6.2p2-0.24.1
  • openssh-askpass-6.2p2-0.24.1
SLES 11 SP2 - safe & NOT affected (OpenSSH 5.1p1)
SLES 11 SP1 - safe & NOT affected (OpenSSH 5.1p1)

SLES 10 SP4 - safe & NOT affected (OpenSSH 5.1p1
SLES 10 other SP - not affected

Expanded Support 7 (RES 7) - affected
  • Patch has been released 15th January 2016
  • openssh-6.6p1-23.el7_2.1
Expanded Support 5 & 6 (RES 5 & RES 6) - not affected
The vulnerable roaming code can be permanently disabled by adding the undocumented option "UseRoaming no" to the system-wide configuration file (usually /etc/ssh/ssh_config), or per user configuration file (~/.ssh/config), or command-line (-o "UseRoaming no").

SUSE also recommends recreating all client keys, at least the important ones. It is not known that this was already exploited but it is possible.

Cause


Additional Information

Link to CVE-2016-0778

Details on this can also be found in this Qualys advisory . SUSE would like to thank Qualys for the detailed report of this issue.

For CVE-2016-0777 please review TID#7017154

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7017155
  • Creation Date: 14-Jan-2016
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center