If you’re using version 5.4-7.1 of OpenSSH, you should install the latest patch as soon as possible. The patch is for a critical vulnerability that can be exploited to reveal private keys to a malicious server. The vulnerability is tied to an undocumented feature called “roaming”. The roaming feature allows an OpenSSH client to resume an interrupted SSH session. If for some reason you’re unable to install the patch at this time, the vulnerable code can also be disabled by inserting “UseRoaming no” into the global ssh_config(5) file or adding “-UseRoaming=no” to the user configuration in ~/.ssh/config.
Despite the fact that this vulnerability is being compared to Heartbleed, it is not quite as severe. Exploiting this vulnerability would require a client to connect to a malicious SSH server. Heartbleed could be exploited by attacking the SSH server directly. However, it is still worth addressing this newly discovered vulnerability as soon as possible.
New Blog Post: OpenSSH Patch Released https://t.co/KYySigxPLc
RT @lbhuston: New Blog Post: OpenSSH Patch Released https://t.co/KYySigxPLc
OpenSSH Patch Released – If you’re using version 5.4-7.1 of OpenSSH, you should install the latest patch as soo… https://t.co/JnrUXFmu19
OpenSSH Patch Released – MSI :: State of Security #infosec https://t.co/kvsjqtKLKS
RT @infosectony: OpenSSH Patch Released – MSI :: State of Security #infosec https://t.co/kvsjqtKLKS