A new vulnerability has been discovered in OpenSSH that permits attackers to obtain sensitive information from authenticated sessions.
This could be exploited through an option called "UseRoaming", that allows the clients to reconnect to the server and resume their interrupted SSH session.
Risk:
-----
High
Impact:
-------
The vulnerability can also allows malicious users to possibly obtain sensitive information, execute arbitrary code, compromise the system and bypass security restrictions as well.
Affected Systems:
-----------------
OpenSSH versions 5.4 to 7.1;
Is COPSSH affected by the new "UseRoaming" vulnerability?
Fri, 15/01/2016 - 22:13
#1
Is COPSSH affected by the new "UseRoaming" vulnerability?
Release announcements
- 2024-04-09 Copssh client 7.14.2
- 2024-04-09 Copssh server 8.5.1
- 2024-04-09 Copssh server 7.17.1
- 2024-04-09 OpenSSL tool 1.9.0
- 2024-04-09 cwRsync server 6.8.0
Worth to mention that the vulnerability affects the ssh client only, not the server. The product edition is updated with the latest OpenSSH fixing this vulnerability.
MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the gobal ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.